Delving into Windows CE, Part 4: Vulnerability Research into a Windows CE-Based HMI Used in the Wild

This report describes discovery and exploitation of a stack buffer overflow in the WSFTP.exe FTP server on Windows CE-based AutomationDirect C-more HMI panels, detailing firmware unpacking, vulnerable code analysis, a proof-of-concept RCE exploit (CVE-2024-25137) using wide-char payloads and ROP, the identification of ~330 exposed devices online, and coordinated disclosure with vendor patches and a CISA advisory.