(0Day) Labcenter Electronics Proteus PDSPRJ File Parsing Out‑Of‑Bounds Write Remote Code Execution (CVE‑2026‑5494)
What It Is — Labcenter Electronics’ Proteus design suite contains an out‑of‑bounds write flaw in the parser for PDSPRJ project files. The bug allows an attacker who convinces a user to open a crafted file (or view a malicious page that triggers the file load) to execute arbitrary code with the privileges of the running Proteus process.
Exploitability — The vulnerability is publicly disclosed as a zero‑day (ZDI‑26‑256). No public exploit code has been released, but the CVSS 7.8 score (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a low‑complexity, high‑impact attack that requires only user interaction.
Affected Products — Labcenter Electronics Proteus (all versions that support PDSPRJ file import; the vendor has announced the product and installer are no longer in production).
TPRM Impact — Proteus is widely used by engineering firms, OEMs, and contract manufacturers to design electronic hardware. A compromised design environment can lead to malicious firmware injection, intellectual‑property theft, or supply‑chain sabotage, exposing downstream customers to hidden backdoors in shipped devices.
Recommended Actions —
- Immediately inventory all third‑party vendors and internal teams that use Proteus for PCB/firmware design.
- Disable opening of PDSPRJ files from untrusted sources; enforce strict file‑origin controls.
- Apply any patches or mitigations released by Labcenter Electronics; if none are available, consider isolating Proteus on air‑gapped workstations.
- Update incident‑response playbooks to include detection of anomalous process behavior from Proteus (e.g., unexpected network connections, new binaries).
- Communicate the risk to affected suppliers and request evidence of remediation.