CVE-2022-2825
published 2023-03-29CVE-2022-2825: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.40%
87.4th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-18411.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ge | industrial_gateway_server | < 7.612 | 7.612 |
| kepware | kepserverex | — | — |
| ptc | kepware_kepserverex | < 6.12 | 6.12 |
| ptc | opc-aggregator | < 6.12 | 6.12 |
| ptc | thingworx_kepware_edge | < 1.4 | 1.4 |
| ptc | thingworx_kepware_server | < 6.12 | 6.12 |
| rockwellautomation | kepserver_enterprise | < 6.12 | 6.12 |
| softwaretoolbox | top_server | < 6.12 | 6.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger vector is specially crafted OPC UA messages transmitted to the server — monitor for anomalous or malformed OPC UA traffic targeting KEPServerEX ↗
- →Vulnerability is exploitable without authentication and with low attack complexity — any unauthenticated OPC UA connection attempt to the server should be treated as potentially malicious in hardened environments ↗
- →The flaw is a stack-based buffer overflow triggered during text encoding conversion — look for crashes or unexpected restarts of the KEPServerEX process (e.g., kepserverex.exe) as an indicator of exploitation attempts ↗
- →Successful exploitation results in code execution as SYSTEM — monitor for unexpected SYSTEM-level process spawning from the KEPServerEX service ↗
- ·Affected version confirmed in NVD is KEPServerEX 6.11.718.0; all versions prior to 6.12 across multiple OEM rebrands are vulnerable (Rockwell KEPServer Enterprise < v6.12, GE Digital Industrial Gateway Server < v7.612, Software Toolbox TOP Server < v6.12, ThingWorx Kepware Edge <= v1.4) ↗
- ·ThingWorx Industrial Connectivity has ALL versions listed as vulnerable with no patched version available via the same product line — users must migrate to ThingWorx Kepware Server v6.12+ ↗
- ·No known public exploits were available at time of advisory publication, reducing immediate mass-exploitation risk but not eliminating targeted attack risk given CVSS 9.8 score ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6rww-x4m5-6j62: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX V6
ghsa_unreviewed·2023-03-29
CVE-2022-2825 [CRITICAL] CWE-121 GHSA-6rww-x4m5-6j62: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX V6
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX V6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-18411.
CISA ICS
PTC Kepware KEPServerEX (Update A)
cisa_ics·2022-08-30·CVSS 9.1
[CRITICAL] PTC Kepware KEPServerEX (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
PTC Kepware KEPServerEX (Update A)
Last RevisedSeptember 08, 2022
Alert CodeICSA-22-242-10
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: PTC
- Equipment: Kepware KEPServerEX
- Vulnerabilities: Heap-based Buffer Overflow, Stack-based Buffer Overflow
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-242-10 PTC Kepware KEPServerEX that was published August 30, 2022, to the ICS webpage at www.cisa.gov/ics.
## 3. RISK EVALUATION
Successful exploitation of these vulner
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-29
Published