OTPulse

PTC Kepware KepServerEX (Update A)

MonitorCVSS 6.3ICS-CERT ICSA-23-243-03Aug 31, 2023
PTCManufacturing
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityHigh
User InteractionRequired
Summary

PTC Kepware KepServerEX, ThingWorx Kepware Server, and ThingWorx Industrial Connectivity contain multiple vulnerabilities (CWE-427, CWE-20, CWE-522) that could allow a local attacker with high-privilege credentials and user interaction to escalate privileges, execute arbitrary code, and obtain server credentials and password hashes. The vulnerabilities exist in Kepware KepServerEX versions 6.14.263.0 and earlier, ThingWorx Kepware Server versions 6.14.263.0 and earlier, and ThingWorx Industrial Connectivity versions 8.0 through 8.5. PTC is developing patches expected by November 2023.

What this means
What could happen
An attacker with local access and high privileges could exploit these vulnerabilities to gain elevated system privileges, execute arbitrary code on the Kepware server, and extract server credentials and password hashes.
Who's at risk
This affects manufacturing facilities and enterprises running PTC Kepware KepServerEX, ThingWorx Kepware Server, or ThingWorx Industrial Connectivity for data aggregation, protocol bridging, or connectivity between industrial devices and applications. Any organization using these platforms for real-time data collection, historian integration, or cloud connectivity should assess their exposure.
How it could be exploited
An attacker must first gain local access to the Kepware server with high-privilege credentials and user interaction (e.g., social engineering to execute a malicious file). Once local code execution is achieved, the attacker can escalate privileges further, run arbitrary commands, and harvest credentials from the server's credential storage.
Prerequisites
  • Local access to the Kepware server system
  • High-privilege account credentials (administrative or service account access)
  • User interaction required (e.g., social engineering to execute a malicious file or action)
No patch availableLocal access and high privileges requiredUser interaction requiredAffects data security and credential exposurePrivilege escalation capabilityArbitrary code execution capability
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Kepware KepServerEX: <=6.14.263.0≤ 6.14.263.0No fix (EOL)
ThingWorx Kepware Server: <=6.14.263.0≤ 6.14.263.0No fix (EOL)
ThingWorx Industrial Connectivity: >=8.0|<8.5≥ 8.0|=<8.5No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3
HARDENINGRestrict local interactive access to Kepware servers to authorized personnel only; review and enforce principle of least privilege for service account permissions
HARDENINGIsolate Kepware servers behind firewalls and separate network segments; prevent direct internet exposure
HARDENINGImplement credential management practices: rotate service account passwords regularly, store credentials securely, and monitor for credential theft indicators
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply PTC security patches when released (expected by November 2023 per vendor statement)
HARDENINGReview and follow PTC's secure configuration documentation for Kepware deployments
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Kepware KepServerEX: <=6.14.263.0, ThingWorx Kepware Server: <=6.14.263.0, ThingWorx Industrial Connectivity: >=8.0|<8.5. Apply the following compensating controls:
HARDENINGImplement application whitelisting or code signing enforcement on Kepware servers to prevent unauthorized code execution
View full CISA ICS-CERT advisory
API: /api/v1/advisories/e173cf07-2a01-4bdb-99e7-11f269c399ae

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.