PTC fixes critical ThingWorx, Kepware flaws

PTC has released patches addressing two critical security flaws affecting its ThingWorx Edge MicroServer and .NET SDK, ThingWorx Kepware Server, ThingWorx Industrial Connectivity, ThingWorx Kepware Edge, and Kepware KEPServerEX industrial IoT offerings, SecurityWeek reports. Such flaws, tracked as CVE-2023-0754 and CVE-2023-0755, could be leveraged by threat actors to facilitate arbitrary code execution and a denial-of-service condition without the need for authentication. Successful DoS attacks against industrial control systems could result in the significant disruption of critical industrial processes. However, PTC noted that the vulnerabilities, which were discovered by Incite Team researchers Steven Seeley and Chris Anastasio, could only be exploited in Kepware products with an enabled ThingWorx interface. Moreover, GE and Rockwell Automation products using the ThingWorx interface could also be compromised with the bugs, according to an advisory from the Cybersecurity and Infrastructure Security Agency. Potential direct exploitation of the flaws from the internet remains unknown.