Beckhoff Automation TwinCAT Package Manager

MonitorCVSS 6.5ICS-CERT ICSA-24-312-01Oct 31, 2024

BeckhoffEnergy

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

Beckhoff Automation TwinCAT Package Manager versions below 1.0.613.0 contain a command injection vulnerability that allows a local attacker with administrative access rights to execute arbitrary OS commands on the affected engineering workstation. The vulnerability exists in how the Package Manager processes user input without proper validation. This affects workstations used to configure and deploy control logic to Beckhoff PLCs and automation controllers.

What this means

What could happen

An attacker with local administrative access could run arbitrary commands on the engineering workstation running TwinCAT Package Manager, potentially allowing them to modify PLC configurations, alter process logic, or disrupt engineering operations.

Who's at risk

Engineering and automation teams at energy utilities and industrial facilities that use Beckhoff Automation's TwinCAT control platform should care about this vulnerability. It affects TwinCAT Package Manager installations on engineering workstations used to configure and deploy control logic to PLCs and industrial controllers.

How it could be exploited

An attacker who has already obtained administrative credentials or physical access to an engineering workstation can supply malicious input to the TwinCAT Package Manager application, which will execute arbitrary OS commands in the context of the administrator. This requires the attacker to be logged in locally or have gained admin-level shell access already.

Prerequisites

Local administrative access to the engineering workstation running TwinCAT Package Manager
Ability to interact with the TwinCAT Package Manager user interface or command input
TwinCAT Package Manager version below 1.0.613.0

local exploitation only (requires prior admin access)high privileges requiredaffects engineering workstations that manage control systemscommand execution capability could lead to PLC configuration tampering

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

TwinCAT Package Manager <1.0.603.0<1.0.603.01.0.603.0

TwinCAT Package Manager: <1.0.603.0<1.0.603.01.0.613.0

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT Package Manager to version 1.0.613.0 or later

Long-term hardening

0/2

HARDENINGRestrict administrative access on engineering workstations to only authorized personnel who need it for legitimate engineering tasks

HARDENINGIsolate engineering workstations and development networks from business networks using firewalls

CVEs (1)

CVE-2024-8934

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ec30a51d-28b7-4b76-96db-72937bdd86f7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.