Zero-Day Vulnerability in Labcenter Electronics Proteus Allows Remote Code Execution via Malicious PDSPRJ Files
A critical zero-day out-of-bounds write vulnerability (CVE-2026-5493) in Labcenter Electronics Proteus allows remote code execution when users open malicious PDSPRJ files, with no patch available as the product is end-of-life.
A critical zero-day vulnerability has been disclosed in Labcenter Electronics Proteus, a widely used electronic design automation (EDA) tool. Tracked as CVE-2026-5493 and published by the Zero Day Initiative (ZDI) as ZDI-26-255, the flaw is an out-of-bounds write vulnerability that arises when the software parses PDSPRJ project files. An attacker can exploit this by convincing a user to open a specially crafted file or visit a malicious webpage, leading to remote code execution in the context of the current process.
The vulnerability was discovered by researcher Andrea Micalizzi (aka rgod) and reported to Labcenter Electronics on April 14, 2025. After several follow-ups, the vendor informed ZDI on October 16, 2025, that the affected software and its installer are no longer in production. Despite requests for an official end-of-life announcement, Labcenter did not provide one, and ZDI ultimately published the advisory as a zero-day on April 6, 2026, after notifying the vendor of its intent.
The technical root cause lies in the lack of proper validation of user-supplied data within PDSPRJ file parsing routines. This allows an attacker to write data beyond the bounds of an allocated buffer, a classic memory corruption issue that can be leveraged to hijack execution flow. The CVSS score for this vulnerability is 7.8, indicating high severity, though the attack vector is local and requires user interaction.
Because Proteus is no longer supported, no security patch will be released. The only mitigation recommended by ZDI is to restrict interaction with the software—users should avoid opening PDSPRJ files from untrusted sources and consider isolating the application in a sandboxed environment. Organizations still relying on Proteus for legacy projects face significant risk, as the vulnerability can be triggered simply by visiting a malicious webpage if the software is installed.
This disclosure highlights a growing concern in the cybersecurity community: the proliferation of zero-day vulnerabilities in end-of-life software. As vendors discontinue products, users often continue to operate them without security updates, creating a persistent attack surface. The Proteus case is particularly notable because the flaw was responsibly reported and the vendor was given ample time to respond, yet the outcome was a public advisory with no fix.
The advisory credits Andrea Micalizzi for the discovery and follows ZDI's standard coordinated disclosure timeline. With no patch forthcoming, users of Labcenter Electronics Proteus must assume the software is compromised and take proactive steps to mitigate exposure. This incident serves as a stark reminder that legacy EDA tools can become vectors for code execution attacks, especially when they handle complex file formats without modern memory safety protections.