Multiple Arbitrary Code Execution Vulnerabilities in Labcenter Proteus 9
CISA has issued an advisory for multiple high-severity vulnerabilities (CVE-2026-42953, CVE-2026-49033, CVE-2026-42958) in Labcenter Proteus 9.1_SP4_Build_42914 that could allow a malicious user to achieve arbitrary code execution and information disclosure through user interaction with specially crafted files.
Labcenter Proteus 9, specifically version 9.1_SP4_Build_42914, is affected by three high-severity vulnerabilities: CVE-2026-42953 (out-of-bounds write), CVE-2026-49033 (stack-based buffer overflow), and CVE-2026-42958 (use-after-free). These flaws, reported by Michael Heinzl and disclosed by CISA on July 7, 2026, could enable a local attacker to execute arbitrary code or disclose sensitive information. Exploitation requires user interaction, typically by opening a specially crafted project file. While these vulnerabilities affect critical infrastructure sectors globally, CISA has not observed in-the-wild exploitation, and the vulnerabilities are not remotely exploitable.
Attack Chain
- An attacker crafts a malicious Labcenter Proteus project file (e.g., .pdsprj, .lib) designed to trigger a memory corruption vulnerability.
- The attacker delivers the malicious file to the victim, often via spearphishing attachments or a compromised download site.
- The victim opens the specially crafted project file using the vulnerable Labcenter Proteus 9.1_SP4_Build_42914 application.
- During file parsing, one of the vulnerabilities (CVE-2026-42953, CVE-2026-49033, or CVE-2026-42958) is triggered within the application's memory space.
- The memory corruption is leveraged by the attacker to achieve arbitrary code execution within the context of the running Proteus application.
- The attacker's arbitrary code executes, allowing for potential information disclosure or further compromise of the underlying system.
Impact
Successful exploitation of these vulnerabilities could result in arbitrary code execution, allowing an attacker to take control of the affected system, disclose sensitive data, or install additional malicious software. The targeted sectors include critical infrastructure like Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, and Water and Wastewater, making the potential impact severe if systems within these environments are compromised. While no active exploitation has been reported, the high CVSS scores (7.8/8.4) underscore the risk of compromise within local environments.
Recommendation
- Immediately update Labcenter Proteus 9 to version 9.2 SPO or later to remediate CVE-2026-42953, CVE-2026-49033, and CVE-2026-42958.
- Implement robust endpoint detection and response (EDR) solutions to monitor for suspicious process creation or anomalous behavior originating from the Proteus application.
- Educate users on the risks of opening unsolicited or untrusted project files (e.g., .pdsprj) to prevent initial access via user interaction, as described in CISA's recommended practices.
- Minimize network exposure for all control system devices and systems running Proteus, ensuring they are not internet-accessible as recommended by CISA (ICSA-26-188-06).