CVE-2024-6098 PTC CVE debrief

Who should care

Industrial control system operators using PTC Kepware products for Allen-Bradley ControlLogix PLC connectivity; manufacturing network security teams; OT security auditors assessing Kepware deployments

Technical summary

The vulnerability exists in the online tag generation functionality for ControlLogix protocol devices. When enabled, this feature accepts device responses during tag discovery without proper resource limits. An attacker with adjacent network access (or a misconfigured legitimate device) can send a malformed response causing unregulated memory or resource allocation, resulting in application crash. Attack complexity is high due to the need for specific protocol positioning and the feature being disabled by default. No confidentiality or integrity impact; availability impact is high.

Defensive priority

medium

Recommended defensive actions

• Verify whether ControlLogix online tag generation is enabled in your Kepware deployment; disable if not required for operations
• Apply defense-in-depth network segmentation to manufacturing networks with strict access controls
• Follow the Kepware Secure Deployment Guide for proper product configuration
• Review PTC support article CS423892 for environment-specific mitigation guidance (PTC account required)
• Contact PTC Technical Support if additional assistance is needed

Evidence notes

CISA ICS advisory ICSA-24-228-11 published 2024-08-15 identifies four affected product variants: PTC Kepware ThingWorx Kepware Server V6, PTC Kepware KEPServerEX V6, Software Toolbox TOP Server V6, and GE IGS V7.6x. The advisory confirms the vulnerability exists in the ControlLogix protocol online tag generation feature and requires either a machine-in-the-middle position or a misconfigured device to exploit.

Official resources