CVE-2020-12510
📋 TL;DR
This vulnerability allows local users with limited privileges to replace a TwinCAT executable that runs automatically during login, enabling them to execute arbitrary code with higher privileges. It affects all versions of TwinCAT XAR 3.1 software installed in the default path. Systems are vulnerable when multiple local user accounts exist with different privilege levels.
💻 Affected Systems
- Beckhoff TwinCAT XAR 3.1
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation to SYSTEM/administrator level, allowing complete system compromise, lateral movement, and persistence.
Likely Case
Local privilege escalation from low-privilege user to administrator, enabling installation of malware, data theft, or system manipulation.
If Mitigated
Limited to denial of service or local user privilege manipulation if proper access controls are implemented.
🎯 Exploit Status
Exploitation requires local user access and knowledge of the vulnerable directory structure. The attack vector is straightforward for any user with file write permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: TwinCAT 3.1.4024.10 or later
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2020-037
Restart Required: Yes
Instructions:
1. Update TwinCAT XAR 3.1 to version 3.1.4024.10 or later. 2. Restart affected systems. 3. Verify directory permissions have been corrected.
🔧 Temporary Workarounds
Secure directory permissions
windowsModify permissions on C:\TwinCAT directory to restrict write access to authorized users only.
icacls C:\TwinCAT /inheritance:r
icacls C:\TwinCAT /grant Administrators:(OI)(CI)F
icacls C:\TwinCAT /grant SYSTEM:(OI)(CI)F
Disable automatic execution
windowsRemove TcSysUI.exe from automatic startup to prevent exploitation via login.
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v TcSysUI /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v TcSysUI /f
🧯 If You Can't Patch
- Implement strict access controls on C:\TwinCAT directory, removing write permissions for non-administrative users.
- Eliminate multiple local user accounts or ensure all users have equal privilege levels to prevent privilege escalation.
🔍 How to Verify
Check if Vulnerable:
Check if C:\TwinCAT exists and examine permissions with: icacls C:\TwinCAT. Look for BUILTIN\Users having write/modify permissions.Check Version:
Check TwinCAT version in Control Panel > Programs and Features or via registry: reg query "HKLM\SOFTWARE\Beckhoff\TwinCAT3" /v VersionVerify Fix Applied:
Verify TwinCAT version is 3.1.4024.10 or later and confirm C:\TwinCAT permissions no longer allow write access to BUILTIN\Users.📡 Detection & Monitoring
Log Indicators:
- File modification events in C:\TwinCAT directory
- Unauthorized process execution of TcSysUI.exe from unexpected locations
- Security log events showing privilege escalation
Network Indicators:
- Unusual outbound connections from TwinCAT processes
- Lateral movement attempts from affected systems
SIEM Query:
EventID=4663 AND ObjectName LIKE '%C:\TwinCAT%' AND Accesses LIKE '%Write%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')