Patched: RCE Flaw That Affects Critical Manufacturing

Hackers Have Not Yet Exploited the CVSS 10-Rated Flaw, Says PTC
Patched: RCE Flaw That Affects Critical Manufacturing
Image: Shutterstock

Software maker for critical manufacturing organizations PTC patched a critical flaw that could allow hackers to execute arbitrary commands on a system server, days after the U.S. cybersecurity watchdog published a vulnerability advisory.

See Also: SBOM and Connected Device Security

The product life cycle management solutions provider said the CVSS 10-rated vulnerability affects the license server in its Creo Elements/Direct product, which is a direct modeling CAD software used to create 3D designs.

Hackers can remotely exploit the vulnerability, tracked as CVE-2024-6071, in the license server that exposes a web interface to execute arbitrary commands on the underlying server. They can also move laterally in systems of critical manufacturing as well as global industrial organizations such as Volvo, Lufthansa, Medtronic, HP, Merck and GE, which use the software.

Thomas Riedmaier of Siemens Energy discovered the flaw, which affects versions 20.7.0.0 and earlier.

In an industrial control systems advisory published in late June, the Cybersecurity and Infrastructure Security Agency says the tool is widely used in critical manufacturing.

The impact of the exploitation varies based on where the license server is deployed and what access it provides. PTC said it has "no indication nor has been made aware that this vulnerability has or is being exploited."

Riedmaier told SecurityWeek that the affected license server is typically not exposed to the internet, so an attacker would need to already have access to an organization's network to exploit the flaw.


About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.