OTPulse

PTC Kepware ThingWorx Kepware Server

MonitorCVSS 5.3ICS-CERT ICSA-24-228-11Aug 15, 2024
PTC
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A resource exhaustion vulnerability in PTC Kepware ThingWorx Kepware Server, KEPServerEX, Software Toolbox TOP Server, and GE IGS allows an attacker on the local network to crash the target device via specially crafted network traffic. Successful exploitation causes a denial of service, interrupting data collection and alarming from all connected industrial devices. No public exploitation has been reported. PTC states no fix will be available; the vendor recommends following the Kepware Secure Deployment Guide and maintaining proper access control on manufacturing networks.

What this means
What could happen
An attacker with network access to the affected Kepware server could crash it, causing temporary loss of data collection and alarming from all connected industrial devices until the service restarts.
Who's at risk
This affects manufacturing facilities and utilities running PTC Kepware ThingWorx Kepware Server, KEPServerEX, Software Toolbox TOP Server, or GE IGS in version 6 or 7.6x. These are typically used as OPC servers to bridge industrial equipment (PLCs, RTUs, analyzers) to historians and SCADA systems. Any operation relying on real-time data collection or alarming from connected devices would be impacted by a crash.
How it could be exploited
An attacker on the local network (or via VPN/remote access) sends specially crafted packets to the Kepware server that trigger a resource exhaustion condition, causing the process to crash. The attacker does not need valid credentials.
Prerequisites
  • Network access to the Kepware server on the local network or via remote access methods (VPN, RDP)
  • No authentication required
  • High complexity attack—requires crafted network traffic
Low complexity attack vectorNo authentication requiredNo vendor patch availableCrash/denial of service to critical data collector
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Kepware ThingWorx Kepware Server: V6V6No fix (EOL)
Kepware KEPServerEX: V6V6No fix (EOL)
Software Toolbox TOP Server: V6V6No fix (EOL)
GE IGS: V7.6xV7.6xNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to Kepware servers using firewall rules; only allow connections from authorized engineering workstations and historian systems
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGFollow PTC Kepware Secure Deployment Guide for proper access control configuration
HARDENINGIf remote access to Kepware is required, use VPN with current patches instead of direct internet exposure
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Kepware ThingWorx Kepware Server: V6, Kepware KEPServerEX: V6, Software Toolbox TOP Server: V6, GE IGS: V7.6x. Apply the following compensating controls:
HARDENINGSegment manufacturing network from business network using firewalls
View full CISA ICS-CERT advisory
API: /api/v1/advisories/cb500edf-e4b7-4725-82ea-21cd117cb0ec

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

PTC Kepware ThingWorx Kepware Server | CVSS 5.3 - OTPulse