PTC Kepware KEPServerEX (Update A)

Act Now9.8ICS-CERT ICSA-22-242-10Aug 30, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Buffer overflow vulnerabilities in PTC Kepware KEPServerEX and related OPC server products allow remote code execution or denial of service. The flaws are in the server's handling of network messages and affect all versions of affected products. These gateways are critical intermediaries between industrial devices (PLCs, sensors, drives) and supervisory control systems.

What this means

What could happen

An attacker could crash KEPServerEX or execute arbitrary code on the gateway, disrupting communication between your control system devices and SCADA applications, potentially stopping production monitoring and control.

Who's at risk

Manufacturing facilities using PTC Kepware, Rockwell Automation, GE Digital, or Software Toolbox gateways for OPC communication between PLCs, drives, and SCADA systems are affected. This includes water treatment plants and utilities that use these platforms for remote monitoring and control of industrial equipment.

How it could be exploited

An attacker on the network sends a specially crafted message to the KEPServerEX TCP port (typically 502 or 44818). The server fails to properly validate the message bounds, allowing a buffer overflow that crashes the service or enables code execution without authentication required.

Prerequisites

Network connectivity to KEPServerEX TCP port (default 502 or 44818)
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects data acquisition and control communication

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

GE Digital Industrial Gateway Server:< 7.612No fix (EOL)

Kepware KEPServerEX:< 6.12No fix (EOL)

OPC-Aggregator:< 6.12No fix (EOL)

Rockwell Automation KEPServer Enterprise:< 6.12No fix (EOL)

Software Toolbox TOP Server:< 6.12No fix (EOL)

ThingWorkx Industrial Connectivity: All versionsAll versionsNo fix (EOL)

ThingWorkx Kepware Edge:≤ 1.4No fix (EOL)

ThingWorkx Kepware Server:< 6.12No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGIsolate KEPServerEX and connected gateways from the business network with a firewall; allow only necessary connections from your control system segments

HARDENINGIf remote access is required, require VPN connectivity to access KEPServerEX; restrict direct Internet exposure

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor KEPServerEX for unexpected restarts or crashes; document baseline uptime and alert on deviations

CVEs (2)

CVE-2022-2848 CVE-2022-2825

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7b474e1a-2418-464e-a7cc-309e75e0c693