cbcvebase.
CVE-2022-2825
published 2023-03-29

CVE-2022-2825: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.40%
87.4th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-18411.

Affected

8 ranges
VendorProductVersion rangeFixed in
geindustrial_gateway_server< 7.6127.612
kepwarekepserverex
ptckepware_kepserverex< 6.126.12
ptcopc-aggregator< 6.126.12
ptcthingworx_kepware_edge< 1.41.4
ptcthingworx_kepware_server< 6.126.12
rockwellautomationkepserver_enterprise< 6.126.12
softwaretoolboxtop_server< 6.126.12

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger vector is specially crafted OPC UA messages transmitted to the server — monitor for anomalous or malformed OPC UA traffic targeting KEPServerEX
  • Vulnerability is exploitable without authentication and with low attack complexity — any unauthenticated OPC UA connection attempt to the server should be treated as potentially malicious in hardened environments
  • The flaw is a stack-based buffer overflow triggered during text encoding conversion — look for crashes or unexpected restarts of the KEPServerEX process (e.g., kepserverex.exe) as an indicator of exploitation attempts
  • Successful exploitation results in code execution as SYSTEM — monitor for unexpected SYSTEM-level process spawning from the KEPServerEX service
  • ·Affected version confirmed in NVD is KEPServerEX 6.11.718.0; all versions prior to 6.12 across multiple OEM rebrands are vulnerable (Rockwell KEPServer Enterprise < v6.12, GE Digital Industrial Gateway Server < v7.612, Software Toolbox TOP Server < v6.12, ThingWorx Kepware Edge <= v1.4)
  • ·ThingWorx Industrial Connectivity has ALL versions listed as vulnerable with no patched version available via the same product line — users must migrate to ThingWorx Kepware Server v6.12+
  • ·No known public exploits were available at time of advisory publication, reducing immediate mass-exploitation risk but not eliminating targeted attack risk given CVSS 9.8 score

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.