Cybersecurity specialists report the discovery of a critical vulnerability in FPWIN Pro, a programmable logic controller (PLC) developed by technology firm Panasonic. According to the report, successful exploitation of the flaw would allow threat actors to access sensitive information on the target system.
Tracked as CVE-2021-32972, the flaw exists because a specially crafted project file that specifies a URI causes the XML parser to access the URI and embed the content, allowing attackers to access sensitive information in the context of the user running the vulnerable software.
The vulnerability received a score of 5.9/10 on the Common Vulnerability Scoring System (CVSS) scale and was reported by researcher Michael Heinzl to the Cybersecurity and Infrastructure Security Agency (CISA).
The fault lies in all versions of the FPWIN Pro PLC prior to v22.214.171.124.
Panasonic is already aware of the report and recommends users of affected deployments upgrade to FPWIN Pro v126.96.36.199 in order to mitigate the risk of exploitation. Supplemental information about this vulnerability is available on the company’s official platforms.
Moreover, CISA also issued a number of recommendations to address the reported failure:
- Never click on web links or open unsolicited attachments received via email
- Identify and prevent email scam campaigns also known as phishing
- Identify and prevent social engineering attacks and identity fraud
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, in addition to trying to reduce the impact of a potential exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.