OTPulse
FeedAboutContact

Beckhoff TwinCAT Read Access Violation

Act NowICS-CERT ICSA-11-279-04Jul 9, 2011
Summary

Beckhoff TwinCAT versions 2.10, 2.11, and 2.11R2 contain a read access violation in the engineering interface that allows unauthenticated reading of memory contents. The vulnerability stems from insufficient bounds checking on memory read operations, potentially exposing controller state, process parameters, and other sensitive runtime data. No patch is available from the vendor for the affected TwinCAT 2.x versions.

What this means
What could happen
An attacker with network access to the TwinCAT engineering interface could read sensitive data from memory, potentially including process parameters, controller state, or credentials used by the automation system.
Who's at risk
Organizations using Beckhoff TwinCAT 2.10, 2.11, or 2.11R2 for industrial automation, motion control, or process control applications should assess their network exposure. This affects facilities using TwinCAT-based PLCs, motion controllers, and embedded automation systems across manufacturing, utilities, and other critical infrastructure sectors.
How it could be exploited
An attacker would need to send specially crafted read requests to the TwinCAT runtime or engineering interface port. The vulnerability allows reading arbitrary memory regions without proper bounds checking, enabling disclosure of sensitive controller data and potentially configuration details needed to plan further attacks on the automation system.
Prerequisites
  • Network access to the TwinCAT engineering interface port (typically 48898 or 501)
  • No authentication required to trigger the read access violation
remotely exploitableno authentication requiredno patch availablememory disclosure vulnerabilityhigh EPSS score (59.8%)
Exploitability
High exploit probability (EPSS 59.8%)
Affected products (1)
ProductAffected VersionsFix Status
TwinCAT: 2.10|2.11|2.11R22.10|2.11|2.11R2No fix yet
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to TwinCAT engineering ports using firewall rules; limit to engineering workstations only and deny from untrusted network segments
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Beckhoff to determine if an upgrade path to a patched version (TwinCAT 3.x) is feasible for your application
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate the TwinCAT controller and engineering workstations from general corporate network traffic and internet-facing systems
HARDENINGMonitor network traffic to the TwinCAT system for unusual read requests or engineering interface connections from unexpected sources
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/cb7fc6f7-3e7c-430e-8a8b-3a992d3796b7
Beckhoff TwinCAT Read Access Violation - OTPulse