A buffer overflow vulnerability in Novakon P series allows attackers to gain root permission without prior authentication.This issue affects P series: P – V2001.A.C518o2 until P-2.0.05 Build 2026.02.06 (commit d0f97fd9).
The CWE-120 class error (classic buffer overflow) consists of the lack of proper validation of data size being entered into a memory buffer. A network attacker can supply crafted data exceeding the buffer capacity, which leads to overwriting adjacent memory areas and taking control of program execution flow. The vulnerability is accessible without authentication (PR:N, UI:N), making it particularly dangerous for devices exposed to the network.
An attacker can obtain root privileges on the HMI device without prior authentication, meaning complete takeover of the device — including the ability to modify configuration, disrupt industrial processes, and perform further lateral movement in the OT/ICS network.
Firmware should be updated to version P-2.0.05 Build 2026.02.06 (commit d0f97fd9) or newer, in accordance with the official Security Advisory from Novakon manufacturer available at the address indicated in the references. Until the update is applied, it is recommended to isolate HMI devices from public networks and restrict network access only to trusted hosts using a firewall.
Novakon P Series HMI — firmware versions from P – V2001.A.C518o2 to P-2.0.05 Build 2026.02.06 (commit d0f97fd9), with exclusion.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X