Softing OPC-UA C++ SDK

Plan PatchCVSS 7.5ICS-CERT ICSA-21-168-02Jun 17, 2021

Softing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A remote attacker can crash applications using the Softing OPC UA C++ SDK (versions 5.59 to 5.64) by sending a specially crafted message to the publisher or subscriber protocol implementation, resulting in denial of service. The vulnerability exists in exported library functions; the impact depends on how the library is integrated into the application. Softing has released version 5.65 to address this issue and recommends customers using the publisher/subscriber protocol upgrade or disable the affected functionality.

What this means

What could happen

An attacker on the network could crash applications using the OPC UA C++ SDK, causing temporary loss of data communication between control systems and monitoring platforms. This could prevent operators from seeing live process data or issuing remote commands.

Who's at risk

Any water utility, municipality, or industrial facility using software built on Softing's OPC UA C++ SDK versions 5.59 to 5.64 for historian integration, data aggregation, or remote monitoring. This includes SCADA systems, HMI applications, and gateway devices that bridge field devices to enterprise reporting platforms.

How it could be exploited

An attacker with network access to a device running the vulnerable OPC UA C++ SDK could send a specially crafted message to the publisher or subscriber protocol implementation. This triggers a crash in the library's exported functions, severing OPC UA communication until the application restarts.

Prerequisites

Network access to the OPC UA port (typically 4840)
The device or application must be using OPC UA publisher or subscriber protocol functions from the vulnerable SDK versions

remotely exploitableno authentication requiredlow complexityaffects data availability and operator visibility

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

OPC UA C++ SDK (Software Development Kit):≥ 5.59 | ≤ 5.645.65

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable OPC UA publisher and subscriber protocol functionality if not actively used in operations

HARDENINGRestrict network access to OPC UA ports using firewall rules; only permit communication from trusted engineering and SCADA workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Softing OPC UA C++ SDK to version 5.65 or later

Long-term hardening

0/1

HARDENINGIsolate control system networks from business networks and the Internet; ensure OPC UA devices are not directly Internet-accessible

CVEs (1)

CVE-2021-32994

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7092c7c2-434b-4647-be58-a1c9126f9983

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.