Article - CS334963

PTC vulnerabilities in KEPServerEX and ThingWorx Kepware Server

Modified: 11-Jan-2021   

Applies To

  • KEPServerEX 6.0.2107.0 to 6.9
  • ThingWorx Kepware Server 6.8 to 6.9
  • ThingWorx Kepware Edge 1.0 to 1.1
  • An ICS advisory has been published regarding the vulnerability by CISA


  • PTC has become aware of vulnerabilities in the Kepware OPC UA server interface for
    • KEPServerEX
      • Applies to versions v6.0.xx to v6.9.xx
    • ThingWorx Kepware Server
      • Applies to version 6.8.xx; 6.9.xx
    • ThingWorx Industrial Connectivity (deprecated replaced with ThingWorx Kepware Server)
      • Applies to all versions 
    • ThingWorx Kepware Edge
      • Applies to versions 1.0, 1.1
      • OPC Aggregator
        • ​​​​​​Applies to all versions prior to build 6.9.584.0
    • Should a malicious actor gain access to the customer’s ThingWorx Kepware application and perform a successful attack, the customer may experience a crash of ThingWorx Kepware products.
      • The following is range of possible impacts:
        • Loss of ability to configure the application
        • Loss of data 
        • Loss of data acquisition 
        • Loss of control of systems
    • The industrial control system may continue to run, and the system should be designed to fail safely
      • If it is not, actions may need to be taken to safely continue or to shut the system down as appropriate for the specific system
    • Customers that have turned off the OPC UA interface are not vulnerable. It is important to note that this interface is on by default after install. To disable the interface please follow the steps in CS336588
    This is a printer-friendly version of Article 334963 and may be out of date. For the latest version click CS334963