ICSA-23-054-01 · Published 2023-02-27 · View on CISA ICS-CERT ↗

PTC ThingWorx Edge

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to crash the device they accessed or could allow remote code execution.

CVE-2023-0755 CVE-2023-0754

ThingWorx Edge C-SDK: 3.0.0 or later.
ThingWorx Edge MicroServer (EMS): v5.4.11 or later.
.NET-SDK: v5.8.5 or later.
The vulnerability is mitigated for Kepware products if the ThingWorx Interface is not enabled. To use the ThingWorx Interface without the vulnerability, update to the latest version of the product:
Kepware KEPServerEX: v6.13 or later.
ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity): v6.13 or later.
ThingWorx Kepware Edge: v1.6 or later.
The following products should be upgraded as indicated or in accordance with the applicable organization's recommendations if the ThingWorx Interface is in use:
Rockwell Automation KEPServer Enterprise: v6.13 or later.
GE Digital Industrial Gateway Server: v7.613 or later.
For more information, see PTC's Customer Support Article (login required).

PTC

PTC · ThingWorx Edge C-SDK <= 2.2.12.1052

PTC · .NET-SDK <= 5.8.4.971

PTC · ThingWorx Edge MicroServer (EMS) <= 5.4.10.0

PTC · Kepware KEPServerEX <= 6.12

PTC · ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity) <= 6.12

PTC · ThingWorx Industrial Connectivity vers:all/*

PTC · ThingWorx Kepware Edge <= 1.5

PTC · Rockwell Automation KEPServer Enterprise <= 6.12

PTC · GE Digital Industrial Gateway Server <= 7.612

Multiple

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.