Zero-Day Vulnerability in Discontinued Labcenter Electronics Proteus Allows Remote Code Execution via PDSPRJ Files
A zero-day out-of-bounds write vulnerability (CVE-2026-5495) in Labcenter Electronics Proteus allows remote code execution through malicious PDSPRJ file parsing, with no patch available as the product has been discontinued.
A zero-day vulnerability in Labcenter Electronics Proteus, identified as CVE-2026-5495, has been disclosed by the Zero Day Initiative (ZDI) as ZDI-26-257. The flaw resides in the parsing of PDSPRJ files, where improper validation of user-supplied data can lead to an out-of-bounds write. An attacker can exploit this by convincing a target to open a malicious file or visit a malicious page, achieving remote code execution in the context of the current process. The vulnerability carries a CVSS score of 7.8, reflecting its high impact on confidentiality, integrity, and availability, though it requires user interaction.
The disclosure timeline reveals that ZDI submitted the report to Labcenter Electronics on April 14, 2025. After multiple follow-ups, the vendor communicated in October 2025 that the software and installer were no longer in production. ZDI requested the product's end-of-life announcement but did not receive it. On November 28, 2025, ZDI notified the vendor of its intention to publish the case as a zero-day advisory, which was released on April 6, 2026.
Because the product is discontinued, no patch will be issued. The only mitigation strategy recommended by ZDI is to restrict interaction with the product. This leaves users of Proteus in a precarious position, as they must rely on alternative security measures such as network segmentation, strict file access controls, and user awareness training to prevent exploitation.
The vulnerability was discovered and reported by Andrea Micalizzi, also known as rgod (@rgod777). This case highlights the growing risk posed by end-of-life software that remains in use. Organizations that continue to rely on discontinued products face unpatched vulnerabilities that can be exploited by attackers, especially when the software handles untrusted data like PDSPRJ files.
Labcenter Electronics Proteus is a widely used electronic design automation (EDA) tool for schematic capture and PCB layout. Its discontinuation means that users must consider migrating to supported alternatives to ensure security. The ZDI advisory serves as a critical reminder for organizations to inventory their software assets and plan for end-of-life transitions to avoid exposure to unpatched vulnerabilities.
In the broader context, this incident underscores the importance of vendor's responsibility to provide clear end-of-life communication and, where possible, facilitate migration paths. For the security community, it reinforces the importance of coordinated disclosure processes and the need for users to stay informed about the lifecycle of their critical software tools.