CVE-2023-41374

HIGH

Kostac PLC Programming Software <1.6.11.0 - Code Injection

Title source: llm

Description

Double free issue exists in Kostac PLC Programming Software Version 1.6.11.0 and earlier. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of KPP project files. The vendor states that Kostac PLC Programming Software Version 1.6.10.0 or later implements the function which prevents a project file alteration. Therefore, to mitigate the impact of these vulnerabilities, a project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier needs to be saved again using Kostac PLC Programming Software Version 1.6.10.0 or later.

References (2)

[Third Party Advisory] https://jvn.jp/en/vu/JVNVU95282683/index.html

[Vendor Advisory] https://www.electronics.jtekt.co.jp/en/topics/202309125391/

Scores

CVSS v3 7.8

EPSS 0.0008

EPSS Percentile 23.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-415

Status published

Affected Products (2)

jtekt/kostac_plc < 1.6.10.0

jtekt/kostac_plc

Timeline

Published Sep 20, 2023

Tracked Since Feb 18, 2026