PatchSiren cyber security CVE debrief
CVE-2023-3825 Rockwell Automation CVE debrief
Rockwell Automation KEPServerEX versions 6.0 through 6.14.263 are affected by a denial-of-service weakness in OPC UA message decoding. According to the CISA advisory, the software does not check whether an object is recursively defined, so a specially crafted message can drive the decoder into repeated processing until the stack overflows and the device crashes. The issue is rated HIGH and is addressed by upgrading to KEPServer 6.15 or later.
- Vendor
- Rockwell Automation
- Product
- KEPServer
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-30
- Original CVE updated
- 2025-01-30
- Advisory published
- 2025-01-30
- Advisory updated
- 2025-01-30
Who should care
Industrial control system operators, OT engineers, plant administrators, and security teams responsible for Rockwell Automation KEPServerEX deployments should prioritize this advisory, especially where OPC UA connectivity is exposed on production or segmented control networks.
Technical summary
The advisory states that KEPServerEX uses OPC UA object types that can be nested into complex arrays, but it does not verify whether an incoming object is recursively defined. An attacker able to send a maliciously crafted OPC UA message could trigger uncontrolled resource consumption during decoding, leading to stack overflow and a device crash. The supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a network-reachable availability impact without privileges or user interaction.
Defensive priority
High for availability and OT resilience. This is a network-reachable denial-of-service condition in industrial software, so patching should be prioritized in environments where KEPServerEX supports production control, monitoring, or data collection.
Recommended defensive actions
- Upgrade Rockwell Automation KEPServer to version 6.15 or higher.
- Confirm which systems run affected KEPServerEX versions 6.0 through 6.14.263 and track them as impacted assets.
- Restrict and segment OPC UA access to only required hosts and networks.
- Apply Rockwell Automation and CISA industrial control system security best practices where feasible.
- Use stakeholder-specific vulnerability categorization to prioritize remediation based on the local OT environment.
Evidence notes
CISA’s CSAF advisory ICSA-25-030-04 identifies Rockwell Automation KEPServerEX versions 6.0 to 6.14.263 as affected. The advisory describes a recursive-object handling flaw in OPC UA decoding that can cause uncontrolled resource consumption, stack overflow, and device crash. The remediated version listed in the advisory is KEPServer 6.15 or higher. No Known Exploited Vulnerabilities (KEV) listing was provided in the supplied data.
Official resources
-
CVE-2023-3825 CVE record
CVE.org
-
CVE-2023-3825 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-25-030-04 on 2025-01-30, the same date recorded for the CVE publication in the supplied timeline.