OTPulse
FeedAboutContact

Beckhoff TwinCAT

Monitor7.8ICS-CERT ICSA-18-081-02Mar 22, 2018
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A privilege escalation vulnerability (CWE-822) exists in Beckhoff TwinCAT that allows a local user to gain system-level code execution. The vulnerability affects TwinCAT 3.1 Build 4022.4 and earlier, TwinCAT 2.11 R3 2259 and earlier, and TwinCAT 3.1 C++/Matlab implementations on TC1210, TC1220, TC1300, and TC1320 controllers. No vendor patch has been released. Exploitation requires local user access to the machine running TwinCAT but does not require elevated privileges or user interaction.

What this means
What could happen
An attacker with local access to a TwinCAT system could execute arbitrary code with elevated privileges, allowing them to modify controller logic, alter process parameters, or halt plant operations entirely.
Who's at risk
Water authorities, utilities, and manufacturers relying on Beckhoff TwinCAT-based automation systems should prioritize this—specifically facilities using TwinCAT 3.1 (Build 4022.4 or earlier), TwinCAT 2.11 R3, or embedded TwinCAT on TC1200/TC1300-series Industrial PCs for critical process control, pump stations, or electrical distribution automation.
How it could be exploited
An attacker with local user-level access to a Windows machine running TwinCAT can exploit a privilege escalation vulnerability (CWE-822) to gain system-level control without requiring elevated credentials or user interaction. From there, they could modify the real-time control software running on the programmable logic controller (PLC).
Prerequisites
  • Local user account on the Windows system running TwinCAT
  • No additional privileges or credentials required beyond standard user access
Low complexity to exploitLocal access required (not remotely exploitable from network)No vendor patch availableAffects automation control software
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
3 pending
ProductAffected VersionsFix Status
TwinCAT: 3.1 Build 4022.4 or prior≤ 3.1 Build 4022.4No fix yet
TwinCAT: 2.11 R3 2259 or prior≤ 2.11 R3 2259No fix yet
TwinCAT: 3.1 C++ / Matlab (TC1210/TC1220/TC1300/TC1320)≤ 3.1 C++ / Matlab (TC1210/TC1220/TC1300/TC1320)No fix yet
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGImplement firewall rules to block all inbound network traffic to TwinCAT systems from untrusted sources
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict local logon access to TwinCAT systems to authorized personnel only via operating system access controls
Long-term hardening
0/3
HARDENINGIsolate TwinCAT engineering workstations and runtime systems from the business network using a dedicated control network
HARDENINGMonitor and log all local user activity on TwinCAT systems to detect unauthorized access attempts
HARDENINGIf remote access is required for maintenance, use a VPN with strong authentication and ensure the VPN is kept current with security patches
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8b939a38-3332-4285-a52e-7604ee0c7f16
Beckhoff TwinCAT | CVSS 7.8 - OTPulse