Rockwell Automation KEPServer

Plan Patch7.5ICS-CERT ICSA-25-030-04Jan 30, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Rockwell Automation KEPServer versions 6.0 through 6.14.263 allows a remote attacker with network access to send a specially crafted message that causes the KEPServer process to crash. KEPServer is widely used as a data gateway and OPC server to integrate legacy industrial equipment (Modbus devices, older PLCs, drives) with modern SCADA systems and data historians. A crash disrupts real-time data exchange and monitoring until the service is manually restarted, potentially causing loss of process visibility and delayed incident detection.

What this means

What could happen

A remote attacker can crash KEPServer, disrupting real-time data exchange between your industrial devices (PLCs, drives, sensors) and your SCADA or data logging systems, potentially causing loss of visibility into process operations.

Who's at risk

Water utilities and electric utilities that use Rockwell Automation KEPServer (versions 6.0–6.14.263) to bridge between legacy industrial devices (Modbus RTU/TCP, legacy drives, older PLCs) and modern SCADA or data historian systems are affected. This is common in facilities running extended equipment lifecycles or mixed-vendor environments.

How it could be exploited

An attacker with network access to the KEPServer port sends a malformed request that triggers a denial-of-service condition, causing the service to crash. KEPServer typically communicates on the network with standard industrial protocols, so any device with network reachability to the server can send the malicious request.

Prerequisites

Network access to KEPServer instance (typically port 502 for Modbus or other OPC/industrial protocol ports)
No authentication required

remotely exploitableno authentication requiredlow complexitycauses denial of service (process visibility loss)affects data acquisition/SCADA integration

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

KEPServer: >=6.0|<=6.14.263≥ 6.0|≤ 6.14.2636.15 or later

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGIsolate KEPServer from the Internet and untrusted networks using a firewall; restrict inbound connections to only trusted engineering workstations and control system devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade KEPServer to version 6.15 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to place KEPServer on a separate VLAN or zone with strict access controls between the IT business network and OT control network

CVEs (1)

CVE-2023-3825

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/96bde612-3a70-4b29-ac35-a15a1cd3ef8f