cbcvebase.
CVE-2022-2848
published 2023-03-29

CVE-2022-2848: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not…

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
3.37%
87.2th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16486.

Affected

8 ranges
VendorProductVersion rangeFixed in
geindustrial_gateway_server< 7.6127.612
kepwarekepserverex
ptckepware_kepserverex< 6.126.12
ptcopc-aggregator< 6.126.12
ptcthingworx_kepware_edge< 1.41.4
ptcthingworx_kepware_server< 6.126.12
rockwellautomationkepserver_enterprise< 6.126.12
softwaretoolboxtop_server< 6.126.12

Detection & IOCsextracted from sources · hover to see the quote

  • Target vector is OPC UA protocol messages — monitor for specially crafted OPC UA traffic directed at KEPServerEX listeners
  • Exploit requires no authentication and no user interaction — any unauthenticated OPC UA connection attempt to the server should be treated as potentially malicious in restricted environments
  • Trigger condition is a heap-based buffer overflow via text encoding conversion — look for anomalously large or malformed string/encoding fields in OPC UA request payloads
  • Successful exploitation may result in server crash (denial of service) or data leakage — monitor KEPServerEX process for unexpected termination or abnormal memory reads
  • Code execution occurs in SYSTEM context — any new processes spawned by the KEPServerEX service (e.g., cmd.exe, powershell.exe as child processes) should be investigated
  • ·Affected version confirmed in NVD is KEPServerEX 6.11.718.0; all versions prior to 6.12 across multiple vendor OEM products are vulnerable
  • ·ThingWorx Industrial Connectivity is listed as ALL versions affected with no patched version available via that product line — users must migrate to ThingWorx Kepware Server v6.12
  • ·No known public exploits exist for this vulnerability at time of advisory publication

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.