PT-2026-60966 · Openplc · Openplc
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenPLC v3 (affected versions not specified)
Description
A heap-based buffer overflow exists in the
getData() function within webserver/core/modbus master.cpp. The function reads characters between two delimiters into a caller-supplied buffer without a size parameter or bounds check. Specifically, in parseConfig(), the function is called using the 100-byte heap-allocated MB device.dev name field. An authenticated attacker with access to the web interface can send a crafted HTTP POST request to the /modbus endpoint containing an oversized device name value. This value is saved to mbconfig.cfg and parsed upon loading, which overflows dev name and overwrites adjacent structure fields, including protocol at offset 108, dev address at offset 109, and ip port at offset 210. For example, a 200-byte payload writes 100 bytes beyond the allocation, resulting in heap corruption that causes a runtime crash and denial of service of the PLC process control loop.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Restrict access to the web interface to minimize the risk of exploitation.
DoS
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openplc