ICSA-22-242-10 · Published 2022-09-08 · View on CISA ICS-CERT ↗

PTC Kepware KEPServerEX (Update A)

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

CVE-2022-2848 CVE-2022-2825

Kepware KEPServerEX: should upgrade to v6.12 or later
ThingWorx Kepware Server: should upgrade to v6.12 or later
ThingWorx Industrial Connectivity: should upgrade to ThingWorx Kepware Server v6.12 or later
OPC-Aggregator: should upgrade to v6.12 or later
ThingWorx Kepware Edge: Upgrade to v1.5 or later
For additional information and instructions on upgrading PTC software, refer to PTC's security advisory (login required).
Rockwell Automation KEPServer Enterprise: should upgrade to v13.01.00 or later
GE Digital Industrial Gateway Server: should upgrade to v7.612 or later
Software Toolbox TOP Server: should upgrade to v6.12 or later
Users of these products should reach out to the associated vendors for any additional information or assistance with these products.

PTC

PTC · GE Digital Industrial Gateway Server < 7.612

PTC · Kepware KEPServerEX < 6.12

PTC · OPC-Aggregator < 6.12

PTC · Rockwell Automation KEPServer Enterprise < 6.12

PTC · Software Toolbox TOP Server < 6.12

PTC · ThingWorkx Industrial Connectivity vers:all/*

PTC · ThingWorkx Kepware Edge <= 1.4

PTC · ThingWorkx Kepware Server < 6.12

Multiple Sectors

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.