OTPulse
FeedAboutContact

Beckhoff: Privilege Escalation through TwinCat System Tray (TcSysUI.exe)

Monitor7.3VDE-2020-037Nov 19, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

TwinCAT XAR 3.1 uses an insecure default installation path (C:\TwinCAT) with permissions that allow local users to modify executables in the 3.1\System directory. An attacker with local access can replace files like TcSysUI.exe and escalate privileges when those files are executed by other users. The vulnerability does not affect installations under C:\Program Files, which uses more restrictive default permissions.

What this means
What could happen
A local user on a Beckhoff industrial PC can replace system files in the default TwinCAT installation directory, allowing them to escalate privileges and execute code with higher permissions, potentially disrupting automation processes or altering control logic.
Who's at risk
Beckhoff industrial PCs (IPCs) running TwinCAT XAR 3.1 with the default installation directory are affected. This concerns manufacturing facilities, water treatment plants, and electrical substations that use Beckhoff automation controllers for PLC logic and process control.
How it could be exploited
An attacker with local access to the IPC can navigate to the default TwinCAT installation directory (C:\TwinCAT\3.1), replace or modify executable files like TcSysUI.exe with malicious versions, and wait for another user (including system processes) to execute them. When those executables run, the attacker's code runs with the privileges of that user.
Prerequisites
  • Local user account on the Beckhoff IPC
  • Write access to C:\TwinCAT\3.1 directory (default installation path only)
  • Another user or system process to execute the modified files
Local access requiredLow complexity exploitationNo authentication bypass neededAffects industrial automation runtime
Affected products (1)
ProductAffected VersionsFix Status
TwinCAT XAR with default installation path 3.13.1Fix available
Remediation & Mitigation
0/3
Do now
0/1
WORKAROUNDFor existing default installations, download the permission-fixing script from https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2020-003/cve-2020-12510.zip, run it as administrator via PowerShell, and allow it to copy C:\Program Files permissions to the C:\TwinCAT\3.1\System directory
Long-term hardening
0/2
HARDENINGFor new installations, install TwinCAT 3.1 to C:\Program Files instead of the default C:\TwinCAT directory
HARDENINGRestrict local user access to the C:\TwinCAT directory using Windows file permissions, limiting write access to administrators and service accounts only
View full CERT@VDE advisory
API: /api/v1/advisories/5e3c6453-7aaf-42df-974f-d848cf075e8c
Beckhoff: Privilege Escalation through TwinCat System Tray (TcSysUI.exe) | CVSS 7.3 - OTPulse