Panasonic FPWIN Pro PLC programming control software vulnerability affects various industrial devices

Cybersecurity specialists report the discovery of a critical vulnerability in FPWIN Pro, a programmable logic controller (PLC) developed by technology firm Panasonic. According to the report, successful exploitation of the flaw would allow threat actors to access sensitive information on the target system.

Tracked as CVE-2021-32972, the flaw exists because a specially crafted project file that specifies a URI causes the XML parser to access the URI and embed the content, allowing attackers to access sensitive information in the context of the user running the vulnerable software.

The vulnerability received a score of 5.9/10 on the Common Vulnerability Scoring System (CVSS) scale and was reported by researcher Michael Heinzl to the Cybersecurity and Infrastructure Security Agency (CISA).

The fault lies in all versions of the FPWIN Pro PLC prior to v7.5.1.1.

Panasonic is already aware of the report and recommends users of affected deployments upgrade to FPWIN Pro v7.5.2.0 in order to mitigate the risk of exploitation. Supplemental information about this vulnerability is available on the company’s official platforms.

Moreover, CISA also issued a number of recommendations to address the reported failure:

  • Never click on web links or open unsolicited attachments received via email
  • Identify and prevent email scam campaigns also known as phishing
  • Identify and prevent social engineering attacks and identity fraud 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, in addition to trying to reduce the impact of a potential exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.