PTC Kepware KepServerEX (Update A)

Monitor6.3ICS-CERT ICSA-23-243-03Aug 31, 2023

Attack VectorLocal

Auth RequiredHigh

ComplexityHigh

User InteractionRequired

Summary

PTC Kepware KepServerEX, ThingWorx Kepware Server, and ThingWorx Industrial Connectivity contain multiple vulnerabilities (CWE-427, CWE-20, CWE-522) that could allow a local attacker with high-privilege credentials and user interaction to escalate privileges, execute arbitrary code, and obtain server credentials and password hashes. The vulnerabilities exist in Kepware KepServerEX versions 6.14.263.0 and earlier, ThingWorx Kepware Server versions 6.14.263.0 and earlier, and ThingWorx Industrial Connectivity versions 8.0 through 8.5. PTC is developing patches expected by November 2023.

What this means

What could happen

An attacker with local access and high privileges could exploit these vulnerabilities to gain elevated system privileges, execute arbitrary code on the Kepware server, and extract server credentials and password hashes.

Who's at risk

This affects manufacturing facilities and enterprises running PTC Kepware KepServerEX, ThingWorx Kepware Server, or ThingWorx Industrial Connectivity for data aggregation, protocol bridging, or connectivity between industrial devices and applications. Any organization using these platforms for real-time data collection, historian integration, or cloud connectivity should assess their exposure.

How it could be exploited

An attacker must first gain local access to the Kepware server with high-privilege credentials and user interaction (e.g., social engineering to execute a malicious file). Once local code execution is achieved, the attacker can escalate privileges further, run arbitrary commands, and harvest credentials from the server's credential storage.

Prerequisites

Local access to the Kepware server system
High-privilege account credentials (administrative or service account access)
User interaction required (e.g., social engineering to execute a malicious file or action)

No patch availableLocal access and high privileges requiredUser interaction requiredAffects data security and credential exposurePrivilege escalation capabilityArbitrary code execution capability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Kepware KepServerEX: <=6.14.263.0≤ 6.14.263.0No fix (EOL)

ThingWorx Kepware Server: <=6.14.263.0≤ 6.14.263.0No fix (EOL)

ThingWorx Industrial Connectivity: >=8.0|<8.5≥ 8.0|=<8.5No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGRestrict local interactive access to Kepware servers to authorized personnel only; review and enforce principle of least privilege for service account permissions

HARDENINGIsolate Kepware servers behind firewalls and separate network segments; prevent direct internet exposure

HARDENINGImplement credential management practices: rotate service account passwords regularly, store credentials securely, and monitor for credential theft indicators

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply PTC security patches when released (expected by November 2023 per vendor statement)

HARDENINGReview and follow PTC's secure configuration documentation for Kepware deployments

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Kepware KepServerEX: <=6.14.263.0, ThingWorx Kepware Server: <=6.14.263.0, ThingWorx Industrial Connectivity: >=8.0|<8.5. Apply the following compensating controls:

HARDENINGImplement application whitelisting or code signing enforcement on Kepware servers to prevent unauthorized code execution

CVEs (4)

CVE-2023-29444 CVE-2023-29445 CVE-2023-29446 CVE-2023-29447

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e173cf07-2a01-4bdb-99e7-11f269c399ae