PTC KEPServerEx

Act Now9.1ICS-CERT ICSA-23-334-03Nov 30, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple buffer overflow and improper certificate validation vulnerabilities in PTC's KEPServer family and derivatives allow unauthenticated remote code execution with SYSTEM privileges, information disclosure, and denial of service. Affected products include KEPServerEX (v6.14 and earlier), ThingWorx Kepware Server, OPC-Aggregator, ThingWorx Kepware Edge, and rebranded versions from Rockwell Automation, GE Digital, and Software Toolbox. ThingWorx Industrial Connectivity, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server, and Software Toolbox TOP Server have no patches available.

What this means

What could happen

An attacker with network access could run arbitrary commands with Windows SYSTEM-level privileges on the KEPServer host, potentially disrupting data collection from connected industrial equipment, altering process variables, or crashing the server that hundreds of devices may depend on.

Who's at risk

Manufacturing facilities using PTC KEPServerEX, ThingWorx Kepware Server, or OPC-Aggregator for data collection from PLCs, RTUs, and field devices. Also affects facilities using Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server, or Software Toolbox TOP Server. Any organization where KEPServer acts as the central bridge between shop-floor equipment and enterprise systems is at risk.

How it could be exploited

An attacker sends a specially crafted network request to KEPServer (port 49320 by default) without authentication. The server processes the malformed input, triggering a buffer overflow or improper certificate validation, allowing the attacker to execute code or bypass security checks. No user interaction or valid credentials are required.

Prerequisites

Network access to KEPServer (default port 49320 or configured alternate port)
No valid credentials required
No special configuration required beyond default installation

Remotely exploitableNo authentication requiredLow complexity attackHigh-severity impact (SYSTEM-level code execution)Affects data integration infrastructure that many devices depend onSome products have no fix available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (8)

4 with fix4 EOL

ProductAffected VersionsFix Status

KEPServerEX: <=v6.14.263.0≤ v6.14.263.06.15

ThingWorx Kepware Server: <=v6.14.263.0≤ v6.14.263.06.15

OPC-Aggregator: <=v6.14≤ v6.146.15

ThingWorx Kepware Edge: <=v1.7≤ v1.71.8

ThingWorx Industrial Connectivity: vers:all/*All versionsNo fix (EOL)

Rockwell Automation KEPServer Enterprise: <=v6.14.263.0≤ v6.14.263.0No fix (EOL)

GE Digital Industrial Gateway Server: <=v7.614≤ v7.614No fix (EOL)

Software Toolbox TOP Server: <=v6.14.263.0≤ v6.14.263.0No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGPlace KEPServer on a network segment isolated from the business network and internet; if remote access is needed, require VPN

WORKAROUNDRestrict network access to KEPServer ports to only authorized engineering workstations and equipment that need to connect

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade KEPServerEX to v6.15 or later

HOTFIXUpgrade ThingWorx Kepware Server to v6.15 or later

HOTFIXUpgrade OPC-Aggregator to v6.15 or later

HOTFIXUpgrade ThingWorx Kepware Edge to v1.8 or later

CVEs (2)

CVE-2023-5908 CVE-2023-5909

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/42594747-4c3a-4d24-87ae-f93bef1a5915