PTC Creo Elements/Direct License Server (Update A)
Act Now10ICS-CERT ICSA-24-177-02Jun 25, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Unauthenticated remote attackers can execute arbitrary OS commands on PTC Creo Elements/Direct License Server and related Creo Elements/Direct products. The vulnerability allows command execution without authentication or user interaction. Affected versions: Creo Elements/Direct License Server through 20.7.0.0, Creo Elements/Direct Drafting/Modeling/Model Manager/Drawing Manager/WorkManager through versions 20.7 (or 20.4 for WorkManager/DDM).
What this means
What could happen
An attacker could remotely execute arbitrary commands on your Creo Elements/Direct License Server without a password, potentially seizing control of your entire CAD system and the engineering workstations that depend on it. If your license server manages access to CAD tools for operational technology design or simulation, this could disrupt engineering workflows and compromise the integrity of design files.
Who's at risk
Engineering and design organizations using PTC Creo Elements/Direct suite for CAD/CAM work. This includes companies in aerospace, automotive, manufacturing, and industrial design. The License Server is the central authentication point for all Creo Elements/Direct installations, making it a critical target. Compromise of the License Server could give attackers control over the entire Creo deployment and potentially access to engineering data and processes.
How it could be exploited
An attacker with network access to your License Server (typically port 7711 or similar, or through exposed web interfaces) can send a specially crafted request that bypasses authentication checks and executes OS commands. The attacker does not need valid credentials or user interaction. Once commands run on the License Server, the attacker gains the privileges of the License Server process, which could allow further lateral movement into engineering networks or CAD workstation networks.
Prerequisites
- Network reachability to the Creo Elements/Direct License Server (direct or via VPN)
- License Server running vulnerable version 20.7.0.0 or earlier
- No authentication required
Remotely exploitable without credentialsNo authentication requiredLow complexity attackCVSS 10 (maximum severity)No patch available for affected versions
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (5)
1 with fix4 EOL
ProductAffected VersionsFix Status
Creo Elements/Direct License Server (MEls): <=20.7.0.0≤ 20.7.0.020.7.0.1 or higher
Creo Elements/Direct Drafting: >=15.00|<=20.7≥ 15.00|≤ 20.7No fix (EOL)
Creo Elements/Direct Modeling: >=15.00|<=20.7≥ 15.00|≤ 20.7No fix (EOL)
Creo Elements/Direct WorkManager / DDM: >=15.00|<=20.4≥ 15.00|≤ 20.4No fix (EOL)
Creo Elements/Direct Model Manager / Drawing Manager: >=15.00|<=20.7≥ 15.00|≤ 20.7No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict network access to the License Server: ensure it is not accessible from the internet and is located behind a firewall, preferably on a segregated engineering network
HARDENINGIf remote access to the License Server is required, implement a VPN with strong authentication and restrict access to authorized engineering personnel only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Creo Elements/Direct License Server to version 20.7.0.1 or higher
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Creo Elements/Direct Drafting: >=15.00|<=20.7, Creo Elements/Direct Modeling: >=15.00|<=20.7, Creo Elements/Direct WorkManager / DDM: >=15.00|<=20.4, Creo Elements/Direct Model Manager / Drawing Manager: >=15.00|<=20.7. Apply the following compensating controls:
HARDENINGIsolate the Creo Elements/Direct network from the business network to limit lateral movement in case of compromise
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/284142db-b77d-4f97-adb3-faa0df66c6a2