Improper copy algorithm and component validation in the project upload mechanism in B&R Automation Studio version 4.0 and later may allow an unauthenticated attacker to execute code.
If the PLC has not been sufficiently secured, an attacker could manipulate the stored project information. Alternatively, a remote attacker may use spoofing techniques to make B&R Automation Studio connect to an attacker-controlled device with manipulated project files. When using project upload in B&R Automation Studio, such crafted projects will be loaded and opened in the security context of Automation Studio. This may result in remote code execution, information disclosure and denial of service of the system running B&R Automation Studio.

Risk Information

  • CVE ID
  • CVE-2021-22289
  • Vendor
  • B&R Automation
  • Product
  • Automation Studio
  • CVSS v3
  • 8.3