CVE-2024-6098
📋 TL;DR
CVE-2024-6098 is a resource allocation vulnerability in Kepware products that allows a machine-in-the-middle or misconfigured device to cause a denial-of-service crash. This affects industrial control systems using ControlLogix protocol communication. The vulnerable functions are disabled by default but remain accessible to users who enable them.
💻 Affected Systems
- Kepware KEPServerEX
- PTC ThingWorx Kepware Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial-of-service causing Kepware application crash, disrupting industrial operations and potentially affecting physical processes.
Likely Case
Temporary service disruption requiring application restart, causing minor operational delays.
If Mitigated
No impact if vulnerable functions remain disabled or proper network segmentation is in place.
🎯 Exploit Status
Exploitation requires network access to the ControlLogix protocol interface and either MITM position or misconfigured device. No authentication needed once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.15.286.0 and later
Vendor Advisory: https://www.ptc.com/en/support/article/CS423892
Restart Required: Yes
Instructions:
1. Download latest version from PTC support portal. 2. Backup configuration. 3. Install update. 4. Restart Kepware services. 5. Verify functionality.
🔧 Temporary Workarounds
Disable online tag generation
windowsKeep the vulnerable functionality disabled as per default configuration
Configure through KEPServerEX Configuration UI: Disable 'Online Tag Generation' in ControlLogix driver settings
Network segmentation
allIsolate ControlLogix protocol traffic to trusted networks only
Implement firewall rules to restrict access to Kepware ControlLogix ports (typically 44818/TCP)
🧯 If You Can't Patch
- Ensure online tag generation functions remain disabled in all configurations
- Implement strict network segmentation and firewall rules to limit access to Kepware ControlLogix interfaces
🔍 How to Verify
Check if Vulnerable:
Check Kepware version in About dialog or registry: HKEY_LOCAL_MACHINE\SOFTWARE\PTC\KEPServerEX\Version. If below 6.15.286.0 and online tag generation is enabled, system is vulnerable.Check Version:
reg query "HKLM\SOFTWARE\PTC\KEPServerEX" /v VersionVerify Fix Applied:
Verify version is 6.15.286.0 or higher and confirm online tag generation functionality is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Kepware service crashes
- Unusual ControlLogix protocol traffic patterns
- Resource exhaustion warnings in application logs
Network Indicators:
- Abnormal ControlLogix protocol traffic to Kepware ports
- Multiple rapid connection attempts to port 44818
SIEM Query:
source="kepware.log" AND ("crash" OR "service stopped" OR "resource allocation") OR dest_port=44818 AND protocol="ControlLogix" AND abnormal_traffic_pattern