CVE-2025-60035
📋 TL;DR
A deserialization vulnerability in the OPC.Testclient utility within Rexroth IndraWorks allows attackers to execute arbitrary code by tricking users into opening malicious files. All versions prior to 15V24 are affected, potentially compromising industrial control systems. This requires user interaction but leads to full system control.
💻 Affected Systems
- Rexroth IndraWorks with OPC.Testclient utility
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over industrial equipment, potentially causing physical damage, production disruption, or safety incidents.
Likely Case
Attacker gains initial foothold on engineering workstation, then pivots to other systems in the industrial network to steal intellectual property or disrupt operations.
If Mitigated
Limited to isolated engineering workstation with no network connectivity to production systems, containing damage to single system.
🎯 Exploit Status
Requires social engineering to deliver malicious file and user interaction to open it. Deserialization vulnerabilities are commonly exploited once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15V24
Vendor Advisory: https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html
Restart Required: Yes
Instructions:
1. Download Rexroth IndraWorks version 15V24 from official Bosch Rexroth sources. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart the system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Remove OPC.Testclient utility
windowsUninstall the vulnerable OPC.Testclient component if not required for operations
Use Windows Control Panel > Programs and Features to uninstall OPC.Testclient
Restrict file execution
windowsBlock execution of OPC.Testclient files via application control policies
Configure Windows AppLocker or similar to block OPC.Testclient executables
🧯 If You Can't Patch
- Implement strict user training against opening untrusted files and enable macro/script warnings
- Segment industrial networks to isolate engineering workstations from production systems and corporate networks
🔍 How to Verify
Check if Vulnerable:
Check IndraWorks version in Control Panel > Programs and Features. If version is earlier than 15V24 and OPC.Testclient is installed, system is vulnerable.Check Version:
wmic product where name like "%IndraWorks%" get versionVerify Fix Applied:
Verify installed version is 15V24 or later in Control Panel > Programs and Features and confirm OPC.Testclient is either updated or removed.📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation from OPC.Testclient
- File access errors or crashes in OPC.Testclient logs
- Windows Event Log entries showing OPC.Testclient abnormal termination
Network Indicators:
- Unusual outbound connections from engineering workstations
- OPC communication to unexpected endpoints
SIEM Query:
source="windows" AND (process_name="*OPC*" OR process_name="*Testclient*") AND (event_id=4688 OR event_id=1)