Matrikon OPC Server

Monitor5.8ICS-CERT ICSA-22-144-02May 24, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Matrikon OPC Server versions contain a vulnerability in the IPersistFile COM interface that allows an attacker with valid credentials to achieve remote command execution with system-level privileges. The vulnerability has high attack complexity and no known public exploits currently target it. No vendor patch is available; mitigation requires network controls and credential management.

What this means

What could happen

An attacker with valid engineering or operator credentials could execute arbitrary commands on the OPC server with system-level privileges, potentially allowing them to alter process data, modify setpoints in connected PLCs, or disrupt data collection and control operations.

Who's at risk

This vulnerability affects operators and engineers at water utilities, electric utilities, and any industrial facility using Matrikon OPC Server to interface with PLCs, RTUs, or SCADA systems. OPC servers are commonly used as the software bridge between operational devices and historian/SCADA applications.

How it could be exploited

An attacker must first gain valid credentials to access the OPC server, then leverage the IPersistFile COM interface vulnerability to upload a malicious file. The attacker would need user interaction or the ability to trigger file persistence operations to achieve remote command execution.

Prerequisites

Valid engineering or operator credentials for the OPC server
Network access to the Matrikon OPC Server service port
Ability to influence file operations or user interaction on the OPC server host
Knowledge of COM interface exploitation techniques

no patch availablerequires valid credentialshigh attack complexityremotely exploitable

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Matrikon OPC Server: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDApply firewall rules to restrict network access to the OPC server; only allow connections from authorized engineering workstations and control system networks

WORKAROUNDDisable unnecessary COM interfaces on the OPC server if IPersistFile functionality is not required for operations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGRequire multi-factor authentication or IP-based access controls for engineering access to the OPC server

HARDENINGReview Matrikon security best practices documentation and apply applicable mitigations

HARDENINGFor remote access, use VPN with encryption and ensure VPN software is kept current with vendor patches

Mitigations - no patch available

0/1

Matrikon OPC Server: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the OPC server on a dedicated control network separate from the business network

CVEs (1)

CVE-2022-1261

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7c10d0eb-4c30-4216-89e4-3fe707e927d0