CVE-2023-27321 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2023-27321?

CVE-2023-27321 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to cause denial-of-service by sending excessive OPC UA ConditionRefresh requests to OPC Foundation UA .NET Standard servers, consuming all server resources. It affects systems using vulnerable versions of the OPC UA .NET Standard stack, and authentication is not required for exploitation.

📋 TL;DR

This vulnerability allows remote attackers to cause denial-of-service by sending excessive OPC UA ConditionRefresh requests to OPC Foundation UA .NET Standard servers, consuming all server resources. It affects systems using vulnerable versions of the OPC UA .NET Standard stack, and authentication is not required for exploitation.

💻 Affected Systems

Products:

OPC Foundation UA .NET Standard Stack

Versions: Versions prior to 1.4.368.58

Operating Systems: Windows, Linux, All platforms running .NET Standard

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application using the vulnerable OPC UA .NET Standard stack, including custom implementations and third-party products built on this stack.

📦 What is this software?

Ua .netstandard by Opcfoundation

View all CVEs affecting Ua .netstandard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of OPC UA server, potentially affecting industrial control systems and manufacturing operations that depend on OPC UA communication.

🟠

Likely Case

Service degradation or temporary unavailability of OPC UA server functionality, disrupting data exchange between industrial systems.

🟢

If Mitigated

Minimal impact with proper rate limiting, network segmentation, and updated software.

🌐 Internet-Facing: HIGH - No authentication required and remote exploitation possible makes internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but may have additional network controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple resource exhaustion attack requiring only ability to send OPC UA ConditionRefresh requests to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.368.58 and later

Vendor Advisory: https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2023-27321.pdf

Restart Required: Yes

Instructions:

1. Download OPC UA .NET Standard Stack version 1.4.368.58 or later from OPC Foundation. 2. Replace existing OPC UA .NET Standard assemblies with updated versions. 3. Rebuild and redeploy applications using the stack. 4. Restart affected services.

🔧 Temporary Workarounds

Network Rate Limiting

all

Implement rate limiting on OPC UA endpoints to restrict number of ConditionRefresh requests per client

Network Segmentation

all

Restrict access to OPC UA servers to trusted networks only

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with OPC UA endpoints
Deploy intrusion prevention systems or web application firewalls configured to detect and block excessive ConditionRefresh requests

🔍 How to Verify

Check if Vulnerable:

Check if OPC UA .NET Standard assemblies are version 1.4.368.58 or later. Review application dependencies for OPC.UA.Core.dll version.

Check Version:

On Windows: Get-Item 'path\to\OPC.UA.Core.dll' | Select-Object -ExpandProperty VersionInfo

Verify Fix Applied:

Verify OPC.UA.Core.dll file version is 1.4.368.58 or higher. Test with controlled ConditionRefresh request bursts to ensure service remains available.

📡 Detection & Monitoring

Log Indicators:

Unusually high frequency of ConditionRefresh requests
OPC UA server resource exhaustion warnings
Increased CPU/memory usage on OPC UA servers

Network Indicators:

High volume of OPC UA ConditionRefresh messages from single source
Abnormal traffic patterns to OPC UA endpoints (typically port 4840)

SIEM Query:

source="opc-ua-logs" AND message="*ConditionRefresh*" | stats count by src_ip | where count > 100

📊 Metadata

CVE ID: CVE-2023-27321

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: May 7, 2024

Last Updated: August 14, 2025

🔗 References

https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2023-27321.pdf Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-548/ Third Party Advisory
https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2023-27321.pdf Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-548/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27321, you might also want to check these: