Zero-Day in Labcenter Electronics Proteus Allows Remote Code Execution via Malicious PDSPRJ Files
A type confusion vulnerability in Labcenter Electronics Proteus, tracked as CVE-2026-5496, allows remote code execution when users open malicious PDSPRJ files, and the vendor has confirmed the software is end-of-life with no patch available.
A zero-day vulnerability in Labcenter Electronics Proteus, a legacy electronic design automation (EDA) suite, has been publicly disclosed by Trend Micro's Zero Day Initiative (ZDI) as advisory ZDI-26-254. The flaw, assigned CVE-2026-5496, is a type confusion issue that arises during the parsing of PDSPRJ project files. An attacker can exploit this vulnerability by convincing a user to open a specially crafted file or visit a malicious web page that triggers the parsing routine, leading to remote code execution in the context of the current user process.
The technical root cause lies in insufficient validation of user-supplied data within the PDSPRJ file parser. This lack of validation creates a type confusion condition, where the program incorrectly interprets an object of one type as another, allowing an attacker to corrupt memory and hijack execution flow. The vulnerability carries a CVSS score of 7.8 (High) with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that while user interaction is required, successful exploitation grants full compromise of confidentiality, integrity, and availability.
According to the ZDI advisory, the vulnerability was responsibly disclosed to Labcenter Electronics on April 14, 2025. After several follow-ups, the vendor communicated on October 16, 2025, that the software and its installer were no longer in production. ZDI subsequently requested the product's end-of-life announcement, and on November 28, 2025, notified the vendor of its intention to publish the case as a zero-day advisory. The advisory was released publicly on April 6, 2026, with credit going to researcher Andrea Micalizzi, also known as rgod.
The impact of this vulnerability is significant for organizations still relying on Proteus for legacy design projects. Because the software is end-of-life, no security patch will be issued. The only mitigation recommended by ZDI is to restrict interaction with the product, effectively isolating it from untrusted data sources and network access. Users should avoid opening PDSPRJ files from unknown or untrusted origins and consider migrating to supported EDA alternatives.
This disclosure highlights a recurring challenge in the cybersecurity landscape: the risk posed by abandoned or end-of-life software that remains in active use. Legacy tools in engineering and manufacturing environments are often deeply embedded in workflows, making replacement difficult. Without vendor support, these systems become attractive targets for attackers who can weaponize known vulnerabilities with no fear of patches.
The ZDI advisory also serves as a reminder of the importance of maintaining an accurate software inventory and enforcing end-of-life policies. Organizations using Proteus should immediately assess their exposure, implement strict file access controls, and prioritize migration to actively maintained EDA platforms to close this and other unpatched security gaps.