Rockwell Automation KEPServer

Plan PatchCVSS 7.5ICS-CERT ICSA-25-030-04Jan 30, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

KEPServer versions 6.0 through 6.14.263 contain a denial-of-service vulnerability that can cause the device to crash. The vulnerability has a CVSS score of 7.5 with no authentication required and is remotely exploitable over the network.

What this means

What could happen

An attacker could crash KEPServer, disrupting data acquisition and connectivity to your industrial devices. If KEPServer is the primary communication bridge to PLCs or other controllers, this could halt monitoring and control capabilities until the service is manually restarted.

Who's at risk

Water utilities, electric utilities, and manufacturing plants that use KEPServer as a data acquisition and protocol gateway for PLCs, RTUs, and SCADA systems. Facilities relying on KEPServer for real-time monitoring and supervisory control of industrial processes are most affected, particularly those with limited redundancy or manual fallback procedures.

How it could be exploited

An attacker on the network sends a malformed request to KEPServer (typically on port 502 or web interface port). The application fails to validate the input, consumes excessive resources or enters an invalid state, and crashes. The attacker does not need valid credentials or user interaction.

Prerequisites

Network access to KEPServer (typically port 502 for Modbus/TCP or port 49152+ for other protocols)
KEPServer must be running version 6.0 through 6.14.263

remotely exploitableno authentication requiredlow complexityaffects industrial monitoring and controlpotential for extended downtime if service restart is not automated

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

KEPServer: >=6.0|<=6.14.263≥ 6.0|≤ 6.14.2636.15+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to KEPServer ports to only authorized engineering workstations and industrial devices that require connectivity

HARDENINGImplement firewall rules to block direct internet-facing access to KEPServer

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate KEPServer to version 6.15 or later

Long-term hardening

0/1

HARDENINGSegment KEPServer onto a separate control network with restricted access from business network

CVEs (1)

CVE-2023-3825

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/96bde612-3a70-4b29-ac35-a15a1cd3ef8f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.