VxWorks, a real-time operating system (RTOS) that runs on more than 2 billion devices -- many in industrial, health-care and enterprise environments -- has been found to contain 11 vulnerabilities, six of which are critical flaws that enable remote code execution. Around 200 million devices are running the vulnerable versions of the RTOS, according to researchers.

Though not a household name, the VxWorks is a highly ubiquitous OS that is used in a wide range of devices and embedded systems that require real-time and precise deterministic performance. Such systems can be found in SCADA systems, program logic controllers, elevator and industrial controllers, patient monitors and MRI machines, networking equipment, robotic arms, transportation systems and spacecrafts, and more. Device and systems manufacturers impacted by the 11 bugs include Siemens, Rockwell Automation, Mitsubishi Electronic, Samsung and Xerox.

Wind River, VxWorks' developer, issued a July 19 software update that patches the vulnerabilities, which, in addition to the half-dozen RCE bugs, also include logic flaws, denial of service conditions and information leak vulnerabilities. The company also issued a security advisory last Thursday, offering several mitigation suggestions, and began advising affected device manufacturers.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.