CVE-2025-49850 is a high-severity heap-based buffer overflow vulnerability identified in LS Electric's GMWin 4 software, specifically version 4.18. GMWin 4 is an industrial automation software product used primarily for programming and monitoring programmable logic controllers (PLCs) and other industrial control systems (ICS). The vulnerability arises from improper validation of user-supplied data during the parsing of PRJ project files. When GMWin 4 processes these PRJ files, it fails to adequately check the size and structure of the input data, leading to heap-based buffer overflow conditions. This memory corruption can cause the application to read or write beyond the allocated memory boundaries, potentially resulting in arbitrary code execution, application crashes, or other unpredictable behavior. The vulnerability does not require authentication (PR:N) but does require local access (AV:L) and user interaction (UI:A) to trigger. The CVSS 4.0 base score of 8.4 reflects the high impact on confidentiality, integrity, and availability, with high exploit complexity due to the need for local access and user action. No known exploits are currently reported in the wild, and no patches have been published yet. Given the nature of the vulnerability, attackers with local access could craft malicious PRJ files that, when opened by a user in GMWin 4, could compromise the host system or disrupt industrial processes controlled by the software. This poses significant risks in industrial environments where GMWin 4 is deployed, especially in critical infrastructure sectors.

For European organizations, especially those operating in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a significant threat. Exploitation could lead to unauthorized code execution on systems running GMWin 4, potentially allowing attackers to manipulate industrial processes, cause operational disruptions, or exfiltrate sensitive operational data. The high impact on confidentiality, integrity, and availability means that affected systems could experience downtime, safety incidents, or data breaches. Given that GMWin 4 is specialized software used in industrial control environments, successful exploitation could have cascading effects on production lines, energy distribution, or other critical services. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, as insiders or attackers with initial footholds could leverage this vulnerability to escalate privileges or move laterally within networks. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score demands urgent attention to prevent future exploitation.

1. Restrict access to systems running GMWin 4 to trusted personnel only, minimizing the risk of untrusted users opening malicious PRJ files. 2. Implement strict file handling policies, including disabling or restricting the opening of PRJ files from unverified sources. 3. Employ application whitelisting and endpoint protection solutions that can detect anomalous behavior or memory corruption attempts within GMWin 4. 4. Conduct user training focused on the risks of opening untrusted project files and recognizing suspicious activity. 5. Monitor logs and system behavior for signs of exploitation attempts or crashes related to GMWin 4. 6. Coordinate with LS Electric for timely patch releases and apply updates as soon as they become available. 7. Consider network segmentation to isolate industrial control systems running GMWin 4 from general IT networks, reducing the attack surface. 8. Use sandboxing or virtualized environments for opening and testing PRJ files when possible to contain potential exploitation. These measures go beyond generic advice by focusing on operational controls, user behavior, and network architecture tailored to the industrial context of GMWin 4.