CVE-2016-8354

Name of the Vulnerable Software and Affected Versions Schneider Electric Unity PRO versions prior to V11.1

Description An issue was discovered where Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequently executed directly by the simulator. A specially crafted patched Unity project file can make the simulator execute malicious code by redirecting the control flow of these instructions.

Recommendations For versions prior to V11.1, update to version V11.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the PLC Simulator to minimize the risk of exploitation. Avoid loading patched Unity project files onto the simulator until the issue is resolved.