Critical Vulnerabilities in PTC Products Patched

March 1, 2023

Two critical vulnerabilities in several industrial IoT (IIoT) software products made by PTC have been patched. Discovered by Chris Anastasio and Steven Seeley of Incite Team, the vulnerabilities, CVE-2023-0754 and CVE-2023-0755, can be exploited for denial-of-service (DoS) attacks and remote code execution. Affected products include ThingWorx Edge MicroServer (EMS) and .NET SDK, Kepware KEPServerEX, ThingWorx Kepware Server, ThingWorx Industrial Connectivity, and ThingWorx Kepware Edge.

The US Cybersecurity and Infrastructure Security Agency (CISA) informed organizations about the vulnerabilities in an advisory published on February 23. Proof-of-concept (PoC) exploits were also released by the researchers. While remote code execution is technically possible, an attacker would most likely achieve a DoS condition by exploiting these flaws. It is unclear if the vulnerabilities can be exploited directly from the internet. PTC has released updates that should address the vulnerabilities.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.