KEPServerEX Unvalidated Client Certs Enable Unauth Connections
CVE-2023-5909 Published on November 30, 2023

Improper Validation of Certificate with Host Mismatch in PTC KEPServerEx
KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

NVD

Vulnerability Analysis

CVE-2023-5909 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Improper Validation of Certificate with Host Mismatch

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.


Products Associated with CVE-2023-5909

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-5909 are published in these products:

Ptc Thingworx Industrial Connectivity
 
Softwaretoolbox Top Server
 
GE Industrial Gateway Server
 
Rockwellautomation Kepserver Enterprise
 
Ptc Thingworx Kepware Edge
 
Ptc Opc Aggregator
 
Ptc Thingworx Kepware Server
 
Ptc Keepserverex
 

Affected Versions

PTC KEPServerEX: PTC ThingWorx Kepware Server: PTC ThingWorx Industrial Connectivity: PTC OPC-Aggregator: PTC ThingWorx Kepware Edge: Rockwell Automation KEPServer Enterprise: GE Gigital Industrial Gateway Server: Software Toolbox TOP Server:

Exploit Probability

EPSS
0.08%
Percentile
23.08%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.