ICS Advisory (ICSA-11-017-02)

Sielco Sistemi WinLog Stack Overflow

Click to Tweet.
Click to send to Facebook.
Click to Share.

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.



Independent researcher Luigi Auriemma reported a stack overflow vulnerability in Version 2.07.00 of the Sielco Sistemi WinLog Lite and Winlog Pro HMI software.

Sielco Sistemi has developed an update (Version 2.07.01) to address this vulnerability. The researcher has verified that the update is effective in correcting this vulnerability.

Affected Products

This vulnerability affects all versions of Sielco Sistemi’s WinLog Lite and WinLog Pro prior to Version 2.07. 00.


Winlog is used in building automation, monitoring systems, and food production in 16 countries around the world. Sielco Sistemi is based in Italy.

While a successful exploit of this vulnerability could lead to arbitrary code execution, the impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.


Winlog is a SCADA/HMI software package for the supervision of industrial and civil plants. It can connect to PLCs, controllers, motor drives, and I/O modules.

Vulnerability Characterization

Vulnerability Overview

The Winlog system can act as a server by enabling the "Run TCP/IP server" option. The server listens on TCP port 46823. A specially crafted packet from a remote attacker can cause a stack overflow possibly allowing an attacker to execute arbitrary code.

Vulnerability Details


This vulnerability is exploitable from a remote machine.

Existence of Exploit

This exploit code and vulnerability details are publicly available.


A high level of skill is needed to exploit this vulnerability.


ICS-CERT recommends that users of Sielco Sistemi’s Winlog system take the following mitigation steps:

Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.

The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Contact Information

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  https://us-cert.cisa.gov/ics 
or incident reporting:  https://us-cert.cisa.gov/report

CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.