OTPulse
FeedAboutContact

PTC ThingWorx Edge

Act Now9.8ICS-CERT ICSA-23-054-01Feb 27, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

PTC ThingWorx Edge and related Kepware products contain integer overflow and out-of-bounds buffer access vulnerabilities in the ThingWorx interface communication layer. These flaws affect versions: ThingWorx Edge C-SDK v2.2.12.1052 or lower, ThingWorx Edge MicroServer (EMS) v5.4.10.0 or lower, .NET-SDK v5.8.4.971 or lower, Kepware KEPServerEX v6.12 or lower, ThingWorx Kepware Server v6.12 or lower, ThingWorx Kepware Edge v1.5 or lower, Rockwell Automation KEPServer Enterprise v6.12 or lower, GE Digital Industrial Gateway Server v7.612 or lower, and all versions of ThingWorx Industrial Connectivity. The vulnerabilities could allow remote code execution or device crash. ThingWorx Industrial Connectivity (all versions) has no fix available.

What this means
What could happen
An attacker with network access to ThingWorx Edge or Kepware products could execute arbitrary code on the device, allowing them to modify process data, alter equipment behavior, or crash the device and disrupt operations. If the ThingWorx Interface is enabled, the vulnerability is exploitable without authentication.
Who's at risk
This vulnerability affects manufacturing facilities and industrial sites using ThingWorx Edge components, Kepware servers, and connected devices from Rockwell Automation, GE, and PTC. Specifically, it impacts Edge computing gateways, industrial connectivity servers, and data acquisition products that use the ThingWorx interface for cloud integration or data forwarding.
How it could be exploited
An attacker would send a crafted network packet to the ThingWorx interface on the affected device (likely port 8000 or similar). The vulnerability involves integer overflow or out-of-bounds buffer access that allows code execution. No valid credentials are required if the ThingWorx Interface is accessible from the attacker's network position.
Prerequisites
  • Network access to the device running ThingWorx Edge or Kepware products
  • ThingWorx Interface must be enabled (for Kepware products, this is a mitigating factor if disabled)
  • Device must be on a reachable network segment (does not require Internet access)
Remotely exploitable over networkNo authentication required if ThingWorx Interface is enabledLow attack complexityNo patch available for several product variantsAffects critical industrial connectivity infrastructureInteger overflow and buffer handling flaws (CWE-129, CWE-190)
Exploitability
Moderate exploit probability (EPSS 5.1%)
Affected products (9)
8 with fix1 EOL
ProductAffected VersionsFix Status
ThingWorx Edge C-SDK: v2.2.12.1052 or lower≤ 2.2.12.10523.0.0 or later
ThingWorx Edge MicroServer (EMS): v5.4.10.0 or lower≤ 5.4.10.05.4.11 or later
.NET-SDK: v5.8.4.971 or lower≤ 5.8.4.9715.8.5 or later
Kepware KEPServerEX: v6.12 or lower≤ 6.126.13 or later
ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity): v6.12 or lower≤ 6.126.13 or later
ThingWorx Kepware Edge: v1.5 or lower≤ 1.51.6 or later
Rockwell Automation KEPServer Enterprise: v6.12 or lower≤ 6.126.13 or later
GE Digital Industrial Gateway Server: v7.612 or lower≤ 7.6127.613 or later
Remediation & Mitigation
0/11
Do now
0/2
WORKAROUNDDisable the ThingWorx Interface on Kepware products if it is not required for operations
HARDENINGRestrict network access to ThingWorx and Kepware devices using firewall rules; ensure they are not directly reachable from the Internet or untrusted networks
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

ThingWorx Edge MicroServer (EMS): v5.4.10.0 or lower
HOTFIXUpdate ThingWorx Edge MicroServer (EMS) to version 5.4.11 or later
All products
HOTFIXUpdate ThingWorx Edge C-SDK to version 3.0.0 or later
HOTFIXUpdate .NET-SDK to version 5.8.5 or later
HOTFIXUpdate Kepware KEPServerEX to version 6.13 or later
HOTFIXUpdate ThingWorx Kepware Server to version 6.13 or later
HOTFIXUpdate ThingWorx Kepware Edge to version 1.6 or later
HOTFIXUpdate Rockwell Automation KEPServer Enterprise to version 6.13 or later
HOTFIXUpdate GE Digital Industrial Gateway Server to version 7.613 or later
Mitigations - no patch available
0/1
ThingWorx Industrial Connectivity: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate control system networks from business networks and ensure these devices are behind firewalls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/53453fad-0673-4e05-a2b7-1e04068e9388