OTPulse
FeedAboutContact

PTC KEPServerEX

Monitor7.5ICS-CERT ICSA-23-208-02Jul 27, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

PTC KEPServerEX versions 6.0 through 6.14.262 contain a vulnerability that allows an unauthenticated OPC UA client to cause a denial of service (device crash) via a crafted request. The vulnerability is triggered by improper handling of malformed OPC UA protocol messages. Standard access controls and the product's Secure Deployment guide mitigations are sufficient to prevent exploitation.

What this means
What could happen
An attacker with network access to the OPC UA port could crash the KEPServerEX process, interrupting all OPC data access and connectivity to downstream SCADA systems and HMIs that depend on it for real-time process data.
Who's at risk
Water utilities, power plants, and manufacturing facilities using PTC KEPServerEX as their OPC data server should evaluate this risk. KEPServerEX is commonly the central hub connecting legacy PLCs, RTUs, and sensors to modern SCADA systems and historian databases. Disruption affects any system relying on real-time process data from the server.
How it could be exploited
An attacker sends a specially crafted OPC UA protocol message to the unauthenticated OPC UA endpoint. The server fails to validate or properly handle the message, triggering a crash. Exploitation requires only network-level access to the OPC UA port (typically 49320) and does not require valid credentials.
Prerequisites
  • Network access to KEPServerEX OPC UA port (default port 49320 or configured alternate)
  • No authentication or credentials required
remotely exploitableno authentication requiredlow complexityhigh availability impact
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
KEPServerEX: >= 6.0 | < 6.14.263≥ 6.0 | < 6.14.263No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDImmediately restrict network access to OPC UA ports (typically 49320) using host firewall rules or network segmentation. Block access from untrusted networks and allow only authorized SCADA clients and engineering workstations.
HARDENINGIf OPC UA client authentication is available, require client certificate validation or username/password authentication to prevent unauthenticated connections.
HARDENINGIsolate KEPServerEX and dependent systems behind a firewall, and do not expose OPC UA ports to the Internet or business network.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGReview and implement controls documented in the PTC Secure Deployment guide for KEPServerEX.
Long-term hardening
0/1
HOTFIXPlan upgrade or replacement of KEPServerEX to a supported version once available, as current versions have no vendor patch scheduled.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/99d9070a-f269-42f7-b27a-72d20ba1fbef
PTC KEPServerEX | CVSS 7.5 - OTPulse