PTC Axeda agent and Axeda Desktop Server (Update C)

Act Now9.8ICS-CERT ICSA-22-067-01Mar 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Axeda agent and Axeda Desktop Server contain multiple critical vulnerabilities in credential handling, access control, and file handling that could result in full system access, remote code execution, read/change of configuration, file system read access, log access, and denial of service. The vulnerabilities affect all versions of both products. Hardcoded credentials (CWE-798), missing authentication (CWE-306), information disclosure (CWE-200), path traversal (CWE-22), and improper error handling (CWE-703) are exploitable remotely.

What this means

What could happen

An attacker with network access could gain full control of the Axeda agent or Desktop Server, execute arbitrary commands on the host device, alter configuration settings, or stop operations. This could compromise connected medical devices, industrial controllers, or gateways, allowing manipulation of patient care equipment or critical production processes.

Who's at risk

Medical device manufacturers and industrial equipment operators who deploy PTC Axeda agent or Axeda Desktop Server for remote monitoring, field service, or asset management. Affected equipment includes diagnostic devices, medical imaging systems, and industrial PLCs/gateways from vendors including Accuray, Elekta, GE, Hologic, Roche Diagnostics, and Varian that depend on Axeda for connectivity. Any organization using Axeda for remote device management is at risk.

How it could be exploited

An attacker can reach the Axeda agent or Desktop Server over the network (default listening on all interfaces), exploit hardcoded or weak credentials (CWE-798, CWE-306), and gain unauthenticated or easily-authenticated remote code execution. The attacker can then read configuration files, modify settings, execute arbitrary commands, or trigger denial of service. Path traversal (CWE-22) could allow access to files outside the intended directory.

Prerequisites

Network connectivity to the Axeda agent or Desktop Server port (default configuration listens on all interfaces, not restricted to localhost)
No authentication required for some attack vectors; hardcoded or default credentials may be present in configuration files
Axeda agent or Desktop Server actively running and accessible from attacker's network segment or the Internet

Remotely exploitable over networkNo authentication required for exploitationLow complexity attack (CVSS AC:L)Critical severity (CVSS 9.8)Affects all versions of both productsHardcoded credentials in code and configuration filesAffects safety-critical medical devices and industrial control systemsNo patch available for Axeda agent (all versions); alternative fixes requiredWide deployment in medical device ecosystem

Exploitability

Moderate exploit probability (EPSS 2.3%)

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Axeda Desktop Server for Windows: All versionsAll versions6.9 build 215

Axeda agent: All versionsAll versionsNo fix yet

Remediation & Mitigation

0/11

Do now

0/7

WORKAROUNDConfigure Axeda agent and Axeda Desktop Server to listen only on localhost (127.0.0.1) to prevent network exposure

HARDENINGDelete or remove the ERemoteServer file from all host devices; never use ERemoteServer in production

HARDENINGRemove Axeda installation files (e.g., Gateway_vs2017-en-us-x64-pc-winnt-vc14-6.9.3-1051.msi) from host devices after installation

HARDENINGSet a unique, strong password in the AxedaDesktop.ini file for each Axeda unit; never use default or shared credentials

WORKAROUNDBlock all connections to ERemoteServer except from trusted hosts using firewall rules

WORKAROUNDIf using Windows, configure localhost-only (127.0.0.1) communications between ERemoteServer and Axeda Builder

HARDENINGConfigure Axeda agent to require authentication credentials for login to the Axeda Deployment Utility

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Axeda Desktop Server to Version 6.9 build 215 or later

HOTFIXUpgrade Axeda agent to Version 6.9.2 build 1049, 6.9.3 build 1051, or newer if still using older versions (required for loopback-only configuration support)

Long-term hardening

0/2

HARDENINGIsolate Axeda systems and dependent devices from the Internet; place behind a firewall and segregate from business networks

HARDENINGUse secure remote access methods (e.g., VPN) if remote connectivity to Axeda systems is required, and maintain current VPN patches

CVEs (7)

CVE-2022-25246 CVE-2022-25247 CVE-2022-25248 CVE-2022-25249 CVE-2022-25250 CVE-2022-25251 CVE-2022-25252

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close