Zero-Day Disclosed in Labcenter Electronics Proteus: No Patch Available for End-of-Life Software
A zero-day vulnerability (CVE-2026-5494) in Labcenter Electronics Proteus allows remote code execution via malicious PDSPRJ files, but the vendor has declared the product end-of-life and will not issue a patch.
A critical zero-day vulnerability has been disclosed in Labcenter Electronics Proteus, a widely used electronic design automation (EDA) tool. Tracked as CVE-2026-5494 and assigned a CVSS score of 7.8, the flaw is an out-of-bounds write vulnerability in the parsing of PDSPRJ project files. An attacker can exploit it by convincing a user to open a malicious file or visit a malicious webpage, leading to remote code execution in the context of the current process.
The vulnerability was discovered by researcher Andrea Micalizzi (aka rgod) and reported to the Zero Day Initiative (ZDI) on April 14, 2025. ZDI coordinated with Labcenter Electronics, but on October 16, 2025, the vendor communicated that the software and installer were no longer in production. Despite ZDI's requests for an end-of-life announcement, no official statement was provided, and the vendor indicated that no patch would be released. As a result, ZDI published the advisory as a zero-day on April 6, 2026.
The technical root cause lies in the lack of proper validation of user-supplied data during PDSPRJ file processing. This allows an attacker to write past the end of an allocated buffer, corrupting memory and potentially executing arbitrary code. The vulnerability is classified as a classic buffer overflow, a well-understood but still dangerous class of bug, especially in legacy software that is no longer maintained.
Proteus is used by engineers and hobbyists for circuit simulation and PCB design, particularly in educational and small-scale industrial settings. While the exact number of active installations is unknown, the software has a long history and remains in use on many legacy systems. Because the product is end-of-life, no security updates will be issued, leaving all versions vulnerable.
ZDI's advisory includes a single mitigation: restrict interaction with the product. For organizations that rely on Proteus, this means limiting access to trusted users, avoiding opening PDSPRJ files from untrusted sources, and considering migration to supported alternatives. Virtualization or sandboxing may reduce risk but does not eliminate it.
This disclosure highlights a growing problem in the cybersecurity landscape: end-of-life software that remains in active use. As vendors discontinue support for older products, vulnerabilities discovered later will never be patched, creating a permanent attack surface. Users are strongly advised to inventory their software dependencies and phase out unsupported tools where possible.
The advisory was credited to Andrea Micalizzi (rgod) and published by ZDI under ID ZDI-26-256. No evidence of active exploitation has been reported at the time of disclosure, but the public availability of technical details increases the likelihood of weaponization.