CISA has released ICSA-26-188-06, addressing critical security vulnerabilities in Labcenter Proteus 9, a widely used Electronic Design Automation (EDA) software suite. With a CVSS v3 score of 7.8, these flaws—specifically identified as CVE-2026-42953 (Out-of-bounds Write), alongside Stack-based Buffer Overflow and Use After Free issues—pose a significant risk to Critical Infrastructure sectors.
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or disclose sensitive information. Given the deployment of Proteus in Communications, Critical Manufacturing, Defense Industrial Base (DIB), Energy, and Healthcare, this is not merely a software update; it is an urgent defensive imperative to prevent the compromise of engineering workstations that often serve as entry points to operational technology (OT) networks.
Technical Analysis
Affected Product: Labcenter Proteus 9 Specific Affected Version: Proteus 9.1_SP4_Build_42914 Vulnerability Type: Memory Corruption (Out-of-bounds Write, Stack-based Buffer Overflow, Use After Free)
CVE-2026-42953: This specific flaw involves an out-of-bounds write condition. In the context of EDA software, this type of vulnerability is typically triggered when the application parses a malformed project file (e.g., .pdsprj, .DSN) or a schematic component containing unexpected data lengths. The application fails to validate buffer boundaries before writing data, allowing an attacker to overwrite adjacent memory.
When combined with the other identified memory corruption issues (Stack Overflow, Use After Free), an attacker can manipulate the instruction pointer or the vtable (Virtual Method Table) to redirect code execution. This results in Remote Code Execution (RCE) with the privileges of the logged-in user—often a domain administrator or engineer with elevated rights on the design workstation.
Attack Vector: While Proteus is a client-side application, the attack surface is significant in enterprise environments. An attacker could send a weaponized schematic file via spear-phishing to an engineer or plant the file on a network share. Upon opening the file in the vulnerable build (42914), the exploit triggers, potentially giving the attacker a foothold in the secure design environment.
Detection & Response
Detecting exploitation of memory corruption vulnerabilities in client applications like Proteus requires focusing on the effects of the exploitation rather than the vulnerability itself. We are looking for the Proteus application (ARES.exe, ISIS.exe) behaving aberrantly, such as spawning unauthorized shell processes or loading suspicious DLLs.
Sigma Rules
---
title: Proteus 9 Spawning Unauthorized Shell Processes
id: 8a2d3c41-9f1e-4a5b-b1c2-3d4e5f6a7b8c
status: experimental
description: Detects Labcenter Proteus spawning command shells or PowerShell, indicative of potential RCE exploitation of CVE-2026-42953 or related memory corruption bugs.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-06
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\ARES.exe'
- '\ISIS.exe'
- '\VSM.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: all of them_*
falsepositives:
- Legitimate macro execution within design tools (rare)
level: high
---
title: Proteus Loading Non-Standard DLLs from User Profile
id: 1b2c3d44-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects Proteus core binaries loading DLLs from user-writable directories, a common technique used in exploit development to bypass code signing and load malicious payloads.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-06
author: Security Arsenal
date: 2026/04/06
tags:
- attack.defense_evasion
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\ARES.exe'
- '\ISIS.exe'
ImageLoaded|contains:
- '\AppData\Local\Temp\'
- '\Downloads\'
- '\AppData\Roaming\'
filter:
Signed: 'true'
condition: selection and not filter
falsepositives:
- Plugin loading from 3rd party directories
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious child processes spawned by Proteus applications
DeviceProcessEvents
| where InitiatingProcessFileName in ("ARES.exe", "ISIS.exe", "VSM.exe")
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessVersionInfoFileVersion
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Proteus processes and check for suspicious child processes
SELECT Parent.ProcessName AS ParentName,
Parent.Pid AS ParentPid,
Child.ProcessName AS ChildName,
Child.Pid AS ChildPid,
Child.CommandLine,
Child.StartTime
FROM pslist()
LEFT JOIN pslist() AS Child
ON Parent.Pid = Child.Ppid
WHERE Parent.ProcessName =~ "ARES.exe"
AND Child.ProcessName =~ "(cmd|powershell|pwsh|wscript).exe"
Remediation Script (PowerShell)
# Script to detect vulnerable Labcenter Proteus installations
# Checks for File Version matching 9.1_SP4_Build_42914
$VulnerableBuild = "42914"
$ProteusPaths = @(
"${env:ProgramFiles}\Labcenter Electronics\Proteus 9 Professional\BIN\ARES.EXE",
"${env:ProgramFiles(x86)}\Labcenter Electronics\Proteus 9 Professional\BIN\ARES.EXE"
)
Write-Host "Scanning for Labcenter Proteus 9 Vulnerable Build $VulnerableBuild..." -ForegroundColor Cyan
foreach ($Path in $ProteusPaths) {
if (Test-Path $Path) {
$VersionInfo = (Get-Item $Path).VersionInfo
$FileVersion = $VersionInfo.FileVersion
if ($FileVersion -match $VulnerableBuild) {
Write-Host "[VULNERABLE] Detected Proteus Build $VulnerableBuild at: $Path" -ForegroundColor Red
Write-Host "Action: Patch immediately to the latest version provided by Labcenter Electronics." -ForegroundColor Yellow
} else {
Write-Host "[OK] Found Proteus at $Path with Version: $FileVersion" -ForegroundColor Green
}
}
}
Remediation
1. Patching: The primary remediation is to update Labcenter Proteus to the latest version. The advisory specifically confirms that Proteus 9.1_SP4_Build_42914 is affected. Users must verify that the build number has changed after updating.
- Vendor: Labcenter Electronics
- Action: Apply the patch released by the vendor.
- Reference: Review the CISA Advisory ICSA-26-188-06 for specific patch coordination details if available.
2. Network Segmentation: Engineering workstations running Proteus should be isolated from the general IT network and strictly air-gapped from OT/ICS networks where possible. If file transfer is required, use a DMZ with jump hosts to scan for malicious content before files reach the design environment.
3. Application Whitelisting:
Implement strict application control policies (e.g., Windows Defender Application Control) to ensure that ARES.exe can only load signed DLLs from trusted directories and cannot spawn unauthorized child processes like cmd.exe or powershell.exe.
4. User Awareness:
Alert engineering teams about the risks of opening untrusted design files (.pdsprj, .DSN) received via email from external sources.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.