Weintek EasyBuilder Pro reports critical vulnerability

published: Nov. 2, 2023

Take action: If you are using Weintek EasyBuilder Pro, it's good to be aware of this vulnerability. No need to rush for immediate patch since the issue is connected to a crash report. First make sure you EasyBuilder Pro is isolated from internet access, used only from secure access. Then plan a systematic patch.


Learn More

Weintek's EasyBuilder Pro software has a critical vulnerability tracked as CVE-2023-5777 (CVSS3 score 9.8)

EasyBuilder Pro is a software program developed by Weintek that is used for creating graphical user interfaces (GUIs) for human-machine interfaces (HMIs). These HMIs typically provide a control and visualization interface between a human (the operator) and a machine or process.

EasyBuilder Pro supports communication with a multitude of PLCs and other devices through various protocols, facilitating integration into diverse industrial environments.

The identified vulnerability involves the software having built-in credentials which, despite the deletion of the private key post-transmission of a crash report, could result in unauthorized access to the crash report server due to the public exposure of the private key.

Should this security flaw be leveraged, perpetrators could potentially gain unauthorized remote access to a user's system with elevated rights.

Vulnerable versions:

  • Versions of EasyBuilder Pro earlier than v6.07.02
  • Versions of EasyBuilder Pro up to and including 6.08.01.592
  • Versions of EasyBuilder Pro up to and including 6.08.02.470

To mitigate this issue, Weintek has suggested users:

  • Upgrade to version v6.08.01.614 of EasyBuilder Pro
  • Upgrade to version v6.08.02.500 of EasyBuilder Pro

Weintek EasyBuilder Pro reports critical vulnerability