CISA Warns of Three Critical Vulnerabilities in Labcenter Proteus 9
CISA has issued an advisory detailing three critical vulnerabilities in Labcenter Proteus 9, an industrial control system software, that could allow for information disclosure and arbitrary code execution.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory highlighting three significant vulnerabilities affecting Labcenter Proteus 9, a widely used software for industrial control systems and circuit design.
These vulnerabilities, identified as CVE-2026-42953 (Out-of-bounds Write), CVE-2026-49033 (Stack-based Buffer Overflow), and CVE-2026-42958 (Use After Free), pose a serious risk to organizations operating in critical infrastructure sectors. Successful exploitation could lead to the disclosure of sensitive information and, more critically, allow a malicious actor to execute arbitrary code on affected systems.
The affected version is specifically Labcenter Proteus 9.1 SP4 Build 42914. The software is deployed globally across various critical sectors, including Communications, Critical Manufacturing, Defense Industrial Base, Energy, Healthcare and Public Health, Transportation Systems, and Water and Wastewater.
CVE-2026-42953, an out-of-bounds write vulnerability, allows an attacker to write data beyond the boundaries of an allocated memory buffer. This memory corruption can be leveraged to achieve arbitrary code execution. Similarly, CVE-2026-49033, a stack-based buffer overflow, can be exploited by an attacker to overwrite critical data on the stack, leading to code execution. The third vulnerability, CVE-2026-42958, is a use-after-free flaw, which occurs when a program attempts to access memory after it has been freed, potentially leading to memory corruption and arbitrary code execution within the context of the current process.
All three vulnerabilities have received a HIGH severity rating, with CVSS v3.1 scores of 7.8 and CVSS v4.0 scores of 8.4. The attack vector for these vulnerabilities is often local, requiring some level of user interaction or specific conditions to be met, but the potential impact on confidentiality, integrity, and availability is substantial.
Labcenter Electronics, the vendor, has released a patch and recommends that all users update to the latest version, Proteus 9.2 SPO. Users can verify their current version by checking the bottom left of the Proteus home page or via the 'About ISIS' or 'About ARES' options in the Help menu. Update notifications are also available within the software's home page.
CISA strongly advises organizations to implement defensive measures to minimize the risk of exploitation. These include minimizing network exposure for all control system devices, ensuring they are not accessible from the internet, and locating control system networks behind firewalls and isolating them from business networks. When remote access is necessary, secure methods like VPNs should be utilized, ensuring they are kept up-to-date.
Organizations are encouraged to perform thorough impact analyses and risk assessments before deploying any defensive measures. CISA also points to its extensive resources on industrial control systems cybersecurity, including best practices and technical information papers, to help bolster defenses against such threats.