Kepware Resource Exhaustion Vulnerability
Low RiskICS-CERT ICSA-15-055-02Nov 27, 2015
Summary
Kepware Technologies' DNP Master Driver for KEPServerEX Communications Platform contains a resource exhaustion vulnerability in the DNP3 protocol handler. An attacker can send specially crafted DNP3 messages that consume excessive CPU or memory resources, causing the driver to hang or crash and disrupting communication between the control system and DNP3-enabled devices (SCADA RTUs, IEDs, smart meters).
What this means
What could happen
An attacker could send malicious DNP3 messages to the Kepware server, causing it to exhaust system resources and stop communicating with field devices. This would disrupt real-time monitoring and control of SCADA equipment such as substations, RTUs, and distribution automation devices.
Who's at risk
This vulnerability affects utilities and water authorities using PTC Kepware's KEPServerEX platform to communicate with DNP3 devices. Organizations operating SCADA systems with DNP3-enabled remote terminal units (RTUs), intelligent electronic devices (IEDs), or distribution automation equipment should assess their exposure. This is particularly relevant for electric utilities with DNP3 substations or water utilities with remote pumping station control.
How it could be exploited
An attacker with network access to the DNP3 port on the Kepware server (typically port 20000 or custom port) sends specially crafted DNP3 protocol messages designed to trigger excessive resource consumption. The server processes these messages without proper validation, exhausting CPU or memory until the Kepware service hangs or crashes, breaking communication with DNP3 field devices.
Prerequisites
- Network access to the DNP3 port on the Kepware server
- Ability to send raw DNP3 protocol messages to the server (no authentication required for DNP3)
remotely exploitableno authentication requiredlow complexityaffects SCADA communicationsno patch available
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
Kepware Technologies’ DNP Master Driver for the KEPServerEX Communications Platform: <=5.16.728.0≤ 5.16.728.0No fix yet
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to the Kepware DNP3 port (default port 20000) to only authorized SCADA networks and devices using firewall rules. Block DNP3 traffic from untrusted or external networks.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor Kepware process memory and CPU usage for anomalies. Set up alerts to detect when the DNP Master Driver process exceeds normal baseline consumption, indicating a possible resource exhaustion attack.
Long-term hardening
0/2HARDENINGImplement DNP3 traffic rate limiting or connection limits at the network level (firewall or network TAP) to prevent flooding attacks that could trigger the resource exhaustion condition.
HARDENINGSegment the Kepware server on a dedicated management network, isolated from untrusted network segments and the Internet. Ensure only authorized SCADA devices and engineering workstations can reach it.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4d1fceff-b78a-4c6c-b4da-bf49ea6b7d50