CVE-2026-22208: Critical OpenS100 Lua Flaw Enables Remote Code Execution Through Malicious Chart Files

Aegiron 8 mins0

OpenS100 – Unrestricted Lua Execution Leading to Remote Code Execution

CVE ID: CVE-2026-22208
Product: OpenS100 (S-100 Portrayal Engine)
Vulnerability Type: Unrestricted Lua Interpreter / Remote Code Execution
CVSS v3.1 Score: 9.6 (Critical)
Attack Vector: Network (via malicious catalogue distribution)
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact: Full compromise of confidentiality, integrity, and availability

A critical security flaw was identified in OpenS100’s Portrayal Engine where the embedded Lua interpreter was initialized with unrestricted access to standard Lua libraries. Because of this, Lua scripts embedded inside S-100 portrayal catalogues were executed with access to system-level functions.

This condition allowed arbitrary operating system commands to be executed when a malicious portrayal catalogue was imported and processed. The execution occurred under the security context of the OpenS100 process, meaning system-level compromise was possible depending on how the application was deployed.

Technical Description

The vulnerability originated from the use of luaL_openlibs() without sandbox restrictions. By default, this function loads all standard Lua libraries, including:

  • os
  • io
  • debug
  • package
  • loadfile
  • dofile
  • load
  • loadstring

These libraries provide capabilities such as:

  • Executing operating system commands
  • Reading and writing files
  • Loading dynamic libraries
  • Manipulating global variables
  • Bypassing sandbox attempts

Because portrayal catalogues may contain embedded Lua scripts, an attacker was able to embed malicious instructions inside a specially crafted catalogue. When processed by the Portrayal Engine, those instructions were executed automatically.

The interpreter lacked sandboxing, function filtering, or environment isolation mechanisms.

Root Cause

The issue was caused by:

  1. Failure to restrict Lua standard libraries.
  2. Absence of sandbox policy enforcement.
  3. Lack of validation or filtering of Lua script content inside portrayal catalogues.
  4. Execution of untrusted script content without privilege separation.

Exploitation Scenario

The following attack flow was possible:

  1. A malicious S-100 portrayal catalogue was crafted.
  2. Lua payload was embedded inside the catalogue.
  3. The catalogue was delivered via email, shared repository, removable media, or supply chain distribution.
  4. A user imported the catalogue into OpenS100.
  5. The Portrayal Engine executed the Lua script.
  6. System commands were executed on the host machine.

Because user interaction was required (catalogue import), exploitation typically involved social engineering or trusted supply chain poisoning.

Impact

If exploited successfully, the following could occur:

  • Arbitrary command execution
  • Remote shell establishment
  • Malware deployment
  • Data exfiltration
  • Credential harvesting
  • Lateral movement inside internal networks
  • Persistence mechanism installation

Impact severity depended on the privileges of the OpenS100 process. If executed under administrative privileges, full system compromise was possible.

Proof of Concept (Educational)

The vulnerability was demonstrable through Lua calls that invoked operating system execution functions. Internal testing confirmed that calls to system-level APIs were possible before patching.

Indicators of exploitation included:

  • Execution of unexpected binaries
  • Creation of suspicious files
  • Unexpected network connections
  • Invocation of shell interpreters

No widespread public weaponized exploit package was distributed; however, reproduction was straightforward due to unrestricted interpreter access.

Detection and Monitoring

Host-Based Indicators

The following behavioral indicators should be monitored:

  • OpenS100 spawning child processes such as:
    • cmd.exe
    • powershell.exe
    • bash
    • sh
    • wscript.exe
  • Unexpected outbound connections initiated by OpenS100
  • File writes outside expected application directories
  • Loading of dynamic libraries at runtime

Log Sources to Monitor

  • Windows Security Event Logs (4688 – Process Creation)
  • Sysmon Event ID 1 (Process Creation)
  • Linux auditd (execve)
  • EDR telemetry
  • Firewall and proxy logs
  • Application logs from OpenS100
  • File integrity monitoring logs

Detection Queries

Windows Event Log Query

EventID=4688
AND ParentProcessName LIKE "%OpenS100%"
AND (
     NewProcessName LIKE "%cmd.exe%" OR
     NewProcessName LIKE "%powershell.exe%" OR
     NewProcessName LIKE "%wscript.exe%"
)

Sysmon Query

EventID=1
AND ParentImage LIKE "%OpenS100.exe"
AND (
     Image LIKE "%cmd.exe" OR
     Image LIKE "%powershell.exe" OR
     Image LIKE "%bash.exe"
)

Linux auditd Query

type=EXECVE
parent_comm="OpenS100"

Suspicious Lua Content Scan

(os\.execute|io\.popen|io\.open|loadfile\(|dofile\(|loadstring\(|package\.loadlib|debug\.)

Any portrayal catalogue containing the above patterns should be flagged for review.

Network Monitoring Query

process_name="OpenS100.exe"
AND destination_ip NOT IN (approved_internal_ranges)

MITRE ATT&CK Mapping

  • T1059 – Command and Scripting Interpreter
  • T1204 – User Execution
  • T1105 – Ingress Tool Transfer
  • T1041 – Exfiltration Over C2 Channel

Mitigation Recommendations

  • Apply the official security patch immediately.
  • Restrict OpenS100 execution privileges.
  • Block untrusted portrayal catalogue sources.
  • Implement content scanning before catalogue import.
  • Deploy endpoint detection for suspicious child processes.
  • Enforce network egress filtering.

Incident Response Guidance

If exploitation is suspected:

  1. Isolate the affected system.
  2. Collect process creation logs.
  3. Inspect recently imported portrayal catalogues.
  4. Review outbound network connections.
  5. Rotate potentially exposed credentials.
  6. Reimage compromised systems if necessary.
  7. Validate patch deployment across all instances.

Official Patch / Upgrade Link

The vulnerability was addressed by disabling dangerous Lua global libraries inside the interpreter environment.

Official patch commit:
https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d

All installations should be updated to a version that includes this fix.

Conclusion

CVE-2026-22208 represents a high-impact interpreter sandbox escape condition leading to remote code execution. Because exploitation required only catalogue import and no authentication bypass, the attack surface was considered significant in operational environments where third-party S-100 catalogues were routinely processed.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.