OTPulse
FeedAboutContact

Beckhoff Automation TwinCAT Package Manager

Monitor6.5ICS-CERT ICSA-24-312-01Nov 7, 2024
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary

TwinCAT Package Manager versions before 1.0.603.0 contain an OS command injection vulnerability. A local attacker with administrative access rights could exploit this by injecting malicious commands through the package manager interface, allowing arbitrary OS command execution on the affected system. This impacts engineering workstations and automation controllers that rely on TwinCAT for PLC programming and configuration management.

What this means
What could happen
A local attacker with administrative privileges could execute arbitrary operating system commands on a system running the affected TwinCAT Package Manager, potentially compromising engineering workstations or automation controllers that depend on this software for PLC programming and configuration.
Who's at risk
Engineering personnel and automation specialists at utilities and manufacturing facilities using Beckhoff TwinCAT software to program and configure PLCs, remote I/O modules, and process automation systems. This affects workstations and controller systems that use TwinCAT Package Manager for software deployment and updates.
How it could be exploited
An attacker with administrative access to a workstation or controller running vulnerable TwinCAT Package Manager could supply malicious input that executes arbitrary OS commands through the package manager interface. This requires local access and administrative privileges on the affected system.
Prerequisites
  • Local access to the system running TwinCAT Package Manager
  • Administrative or elevated user account on the affected system
  • Ability to interact with the TwinCAT Package Manager interface or configuration files
Requires local access (not remotely exploitable)Requires administrative privilegesLow complexity exploitation once local access obtainedAffects control system engineering tools
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
TwinCAT Package Manager: <1.0.603.0<1.0.603.01.0.613.0
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict administrative access to TwinCAT Package Manager to trusted personnel only; audit who has administrative privileges
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT Package Manager to version 1.0.613.0 or later
Long-term hardening
0/2
HARDENINGImplement host-based access controls and application whitelisting to prevent unauthorized package manager modifications
HARDENINGMonitor and restrict local network access to engineering workstations running TwinCAT from untrusted network segments
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ec30a51d-28b7-4b76-96db-72937bdd86f7