Two critical vulnerabilities affecting several industrial IoT (IIoT) software products made by PTC have been discovered by Chris Anastasio and Steven Seeley of Incite Team. The flaws, CVE-2023-0754 and CVE-2023-0755, can be exploited for denial-of-service (DoS) attacks and remote code execution, and have been reported to PTC in late March 2022.
Products impacted by the security bugs include ThingWorx Edge MicroServer (EMS) and .NET SDK, Kepware KEPServerEX, ThingWorx Kepware Server, ThingWorx Industrial Connectivity, and ThingWorx Kepware Edge. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory about the vulnerabilities and noted that they are used worldwide in multiple industries.
PTC has released updates that should address the vulnerabilities and mitigate the risk of exploitation. The vendor has also noted that Kepware products are only vulnerable if the ThingWorx interface is enabled. Products from Rockwell Automation and GE may also be impacted if they use the ThingWorx interface.
Proof-of-concept (PoC) exploits for the vulnerabilities have been released by the researchers. While remote code execution is technically possible, an attacker would most likely achieve a DoS condition by exploiting these flaws. A Shodan search for ThingWorx does show roughly 350 instances, but it’s unclear if any of them are impacted.
It is important for organizations to take necessary steps to protect their networks and systems from these vulnerabilities, as DoS attacks can lead to the disruption of critical industrial processes. Organizations should update their PTC software products to the latest versions in order to mitigate the risk of exploitation.
Key Points:
- Two critical vulnerabilities in several industrial IoT (IIoT) software products made by PTC have been discovered.
- The flaws can be exploited for denial-of-service (DoS) attacks and remote code execution.
- The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory about the vulnerabilities.
- PTC has released updates to address the flaws.
- Proof-of-concept (PoC) exploits have been released by the researchers.
- Organizations should update their PTC software products to the latest versions to mitigate the risk of exploitation.