Published:2022/05/09  Last Updated:2022/05/09

KOYO Electronics Screen Creator Advance2 vulnerable to authentication bypass


Screen Creator Advance2 provided by KOYO ELECTRONICS INDUSTRIES CO., LTD. contains an authentication bypass vulnerability.

Products Affected

  • Screen Creator Advance2 versions prior to Ver. Build01
According to the developer, the following products are affected by the vulnerability.
  • HMI GC-A2 series
    • GC-A22W-CW
    • GC-A24W-C(W)
    • GC-A26W-C(W)
    • GC-A24
    • GC-A24-M
    • GC-A25
    • GC-A26
    • GC-A26-J2
  • Real time remote monitoring and control tool
    • Remote GC


Screen Creator Advance2 provided by KOYO ELECTRONICS INDUSTRIES CO., LTD. is a screen development tool for KOYO ELECTRONICS's HMI.
Screen Creator Advance2 contains an authentication bypass vulnerability (CWE-807) due to the improper check for the Remote control setting's account names.


An attacker who can access the HMI from Real time remote monitoring and control tool may perform arbitrary operations on the HMI. As a result, the information stored in the HMI may be disclosed, deleted or altered, and/or the equipment may be illegally operated via the HMI.


Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version.

  • Screen Creator Advance2 Ver. Build01
Apply the workaround
According to the developer, if Remote control function is not use, applying the following workaround to the product may mitigate the impact of this vulnerability.
  • Stop using Remote control function
    • Change the permission of Remote control setting from "True" to "False" and overwrite the settings on HMI
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
KOYO ELECTRONICS INDUSTRIES CO., LTD. [Update notice] Screen Creator Advance 2 software of GC-A2 Series


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 4.0
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 2.1
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


KOYO ELECTRONICS INDUSTRIES CO., LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and KOYO ELECTRONICS INDUSTRIES CO., LTD. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2022-29518
JVN iPedia JVNDB-2022-000029