PTC Kepware KEPServerEX (Update A)

Act Now9.8ICS-CERT ICSA-20-352-02Dec 17, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PTC KEPServerEX and related industrial connectivity products contain buffer overflow vulnerabilities (CWE-121, CWE-122, CWE-416) affecting versions 6.0 through 6.9. Successful exploitation could lead to server crashes, denial-of-service conditions, data leakage, or remote code execution. The vulnerability is remotely exploitable with no authentication required and low attack complexity.

What this means

What could happen

An attacker could crash the Kepware server, causing loss of connectivity between your SCADA systems and industrial devices, or execute arbitrary code on the server to alter device communications, steal configuration data, or disrupt monitoring and control operations.

Who's at risk

Manufacturing facilities using PTC KEPServerEX, ThingWorx Kepware Server, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server, Software Toolbox TOP Server, ThingWorx Industrial Connectivity, or OPC-Aggregator for SCADA communications, data collection, and device gateway functions. Any facility relying on these products for connectivity between engineering systems and industrial devices (PLCs, RTUs, field instruments) should prioritize patching.

How it could be exploited

An attacker with network access to the Kepware server (typically port 502 for Modbus or OPC ports) sends a specially crafted message or request that triggers a buffer overflow. This could allow the attacker to crash the service or, with careful payload construction, execute commands with the privileges of the Kepware process.

Prerequisites

Network access to Kepware server ports (OPC, Modbus, or HTTP/HTTPS)
No valid credentials required
Server must be reachable from attacker's network

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects industrial connectivity and data aggregationimpacts multiple vendors and product lines

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

ThingWorx Kepware Server: v6.8 and v6.96.8 | 6.96.9.584.0

Rockwell Automation KEPServer Enterprise: v6.6.504.0 and v6.9.572.06.6.504.0 | 6.9.572.06.9.584.0

GE Digital Industrial Gateway Server: v7.68.804 and v7.667.68.804 | 7.666.9.584.0

KEPServerEX: v6.0 to v6.9≥ 6.0 | ≤ 6.96.9.584.0

ThingWorx Industrial Connectivity: All versionsAll versions6.9.584.0

Software Toolbox TOP Server: All 6.x versions6.x6.9.584.0

OPC-Aggregator: All versionsAll versions6.9.584.0

Remediation & Mitigation

0/18

Do now

0/2

HARDENINGIsolate Kepware servers behind firewalls and restrict network access to only authorized engineering workstations and SCADA networks

HARDENINGDisable direct Internet access to Kepware servers; use VPN with MFA for any remote access to engineering functions

Schedule — requires maintenance window

0/15

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGImplement network segmentation to separate Kepware and industrial connectivity systems from business networks

CVEs (3)

CVE-2020-27265 CVE-2020-27263 CVE-2020-27267

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close