ICS Advisory (ICSA-11-094-01)

Wonderware InBatch Client ActiveX Buffer Overflow

Click to Tweet.
Click to send to Facebook.
Click to Share.

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.



ICS-CERT has received a report from independent security researcher Jeremy Brown regarding a buffer overflow vulnerability in a Wonderware InBatch Client ActiveX control.

According to the researcher’s report, the client ActiveX control is vulnerable to a buffer overflow that could cause denial of service (DoS) or the possible execution of arbitrary code in older versions. In order to successfully exploit this vulnerability, the attacker must direct the InBatch client user to a malicious host. This exploit requires the attacker to perform social engineering. Invensys has validated the researcher’s claim and has developed a patch to mitigate this vulnerability. ICS-CERT has verified that the provided security patch resolves the vulnerability.


This vulnerability affects custom runtime client programs of all supported versions of the Wonderware InBatch Server products. Invensys has supplied Table 1, which identifies which currently supported products are

Product and ComponentSupported Operating SystemSecurity ImpactSeverity Rating
Wonderware InBatch 8.1--InBatch Runtime Clients (all versions)Windows XP Professional

Windows 2000 Server

Windows Server 2003

Denial of Service

Remote code execution

Wonderware InBatch 9.0--InBatch Runtime Clients (all versions)Windows XP Professional

Windows Server 2003

Windows Server 2008

Denial of ServiceMedium


While a successful exploit of the buffer overflow could allow a DoS or arbitrary code execution, the specific impact to an individual organization depends on many factors that are unique to the organization.

ICS CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and operational product implementation.


According to Invensys, Wonderware InBatch is used to develop batch management capabilities for control system applications that run on the Microsoft Windows platforms. The ActiveX control is supplied for end users to build custom runtime client interfaces to the InBatch Server.

Wonderware InBatch software is used in a wide variety of batching processes including pharmaceutical production; food and beverage production, including breweries and milk production; and various Chemical Sector batching processes. InBatch software is estimated to be deployed in Europe (60%), North America (30%), and other areas around the world (10%).



According to the researcher’s report, the InBatch client ActiveX control will connect to an InBatch servervia TCP. If an attacker successfully employs social engeneering (i.e., phishing e-mail), the user could be connected to a malicious server. Once connected to this server, the InBatch client ActiveX is vulnerable to a buffer overflow that could allow a DoS or possibly lead to arbitrary code execution.



This vulnerability is not remotely exploitable.


Currently, no known exploits are specifically targeting this vulnerability.


Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to access a malicious host.


ICS-CERT and Invensys recommend that users of the Wonderware InBatch runtime client ActiveX control take the following mitigation steps:

  • Install the patch provided from Invensys. Registered users please log into the Wonderware Developer Network or contact Wonderware Tech Support.
  • Log onto Cyber Security Updates site where Invensys provides information and useful links related to their security updates: http://iom.invensys.com/EN/Pages/CyberSecurityUpdates.aspx

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in e-mail messages.
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.


Contact Information

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  https://us-cert.cisa.gov/ics 
or incident reporting:  https://us-cert.cisa.gov/report

CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.