PTC Kepware ThingWorx Kepware Server

Monitor5.3ICS-CERT ICSA-24-228-11Aug 15, 2024

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A resource exhaustion vulnerability in PTC Kepware ThingWorx Kepware Server, KEPServerEX, Software Toolbox TOP Server, and GE IGS allows an attacker on the local network to crash the target device via specially crafted network traffic. Successful exploitation causes a denial of service, interrupting data collection and alarming from all connected industrial devices. No public exploitation has been reported. PTC states no fix will be available; the vendor recommends following the Kepware Secure Deployment Guide and maintaining proper access control on manufacturing networks.

What this means

What could happen

An attacker with network access to the affected Kepware server could crash it, causing temporary loss of data collection and alarming from all connected industrial devices until the service restarts.

Who's at risk

This affects manufacturing facilities and utilities running PTC Kepware ThingWorx Kepware Server, KEPServerEX, Software Toolbox TOP Server, or GE IGS in version 6 or 7.6x. These are typically used as OPC servers to bridge industrial equipment (PLCs, RTUs, analyzers) to historians and SCADA systems. Any operation relying on real-time data collection or alarming from connected devices would be impacted by a crash.

How it could be exploited

An attacker on the local network (or via VPN/remote access) sends specially crafted packets to the Kepware server that trigger a resource exhaustion condition, causing the process to crash. The attacker does not need valid credentials.

Prerequisites

Network access to the Kepware server on the local network or via remote access methods (VPN, RDP)
No authentication required
High complexity attack—requires crafted network traffic

Low complexity attack vectorNo authentication requiredNo vendor patch availableCrash/denial of service to critical data collector

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

Kepware ThingWorx Kepware Server: V6V6No fix (EOL)

Kepware KEPServerEX: V6V6No fix (EOL)

Software Toolbox TOP Server: V6V6No fix (EOL)

GE IGS: V7.6xV7.6xNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to Kepware servers using firewall rules; only allow connections from authorized engineering workstations and historian systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGFollow PTC Kepware Secure Deployment Guide for proper access control configuration

HARDENINGIf remote access to Kepware is required, use VPN with current patches instead of direct internet exposure

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Kepware ThingWorx Kepware Server: V6, Kepware KEPServerEX: V6, Software Toolbox TOP Server: V6, GE IGS: V7.6x. Apply the following compensating controls:

HARDENINGSegment manufacturing network from business network using firewalls

CVEs (1)

CVE-2024-6098

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb500edf-e4b7-4725-82ea-21cd117cb0ec