CVE-2022-2848
published 2023-03-29CVE-2022-2848: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not…
PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
3.37%
87.2th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16486.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ge | industrial_gateway_server | < 7.612 | 7.612 |
| kepware | kepserverex | — | — |
| ptc | kepware_kepserverex | < 6.12 | 6.12 |
| ptc | opc-aggregator | < 6.12 | 6.12 |
| ptc | thingworx_kepware_edge | < 1.4 | 1.4 |
| ptc | thingworx_kepware_server | < 6.12 | 6.12 |
| rockwellautomation | kepserver_enterprise | < 6.12 | 6.12 |
| softwaretoolbox | top_server | < 6.12 | 6.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target vector is OPC UA protocol messages — monitor for specially crafted OPC UA traffic directed at KEPServerEX listeners ↗
- →Exploit requires no authentication and no user interaction — any unauthenticated OPC UA connection attempt to the server should be treated as potentially malicious in restricted environments ↗
- →Trigger condition is a heap-based buffer overflow via text encoding conversion — look for anomalously large or malformed string/encoding fields in OPC UA request payloads ↗
- →Successful exploitation may result in server crash (denial of service) or data leakage — monitor KEPServerEX process for unexpected termination or abnormal memory reads ↗
- →Code execution occurs in SYSTEM context — any new processes spawned by the KEPServerEX service (e.g., cmd.exe, powershell.exe as child processes) should be investigated ↗
- ·Affected version confirmed in NVD is KEPServerEX 6.11.718.0; all versions prior to 6.12 across multiple vendor OEM products are vulnerable ↗
- ·ThingWorx Industrial Connectivity is listed as ALL versions affected with no patched version available via that product line — users must migrate to ThingWorx Kepware Server v6.12 ↗
- ·No known public exploits exist for this vulnerability at time of advisory publication ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f952-wvmx-6w24: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX V6
ghsa_unreviewed·2023-03-29
CVE-2022-2848 [CRITICAL] CWE-119 GHSA-f952-wvmx-6w24: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX V6
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX V6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16486.
CISA ICS
PTC Kepware KEPServerEX (Update A)
cisa_ics·2022-08-30·CVSS 9.1
[CRITICAL] PTC Kepware KEPServerEX (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
PTC Kepware KEPServerEX (Update A)
Last RevisedSeptember 08, 2022
Alert CodeICSA-22-242-10
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: PTC
- Equipment: Kepware KEPServerEX
- Vulnerabilities: Heap-based Buffer Overflow, Stack-based Buffer Overflow
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-242-10 PTC Kepware KEPServerEX that was published August 30, 2022, to the ICS webpage at www.cisa.gov/ics.
## 3. RISK EVALUATION
Successful exploitation of these vulner
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-29
Published