Critical Infrastructure Security
Hackers Have Not Yet Exploited the CVSS 10-Rated Flaw, Says PTC
Software maker for critical manufacturing organizations PTC patched a critical flaw that could allow hackers to execute arbitrary commands on a system server, days after the U.S. cybersecurity watchdog published a vulnerability advisory.
See Also: Identity Security Clinic
The product life cycle management solutions provider said the CVSS 10-rated vulnerability affects the license server in its Creo Elements/Direct product, which is a direct modeling CAD software used to create 3D designs.
Hackers can remotely exploit the vulnerability, tracked as CVE-2024-6071, in the license server that exposes a web interface to execute arbitrary commands on the underlying server. They can also move laterally in systems of critical manufacturing as well as global industrial organizations such as Volvo, Lufthansa, Medtronic, HP, Merck and GE, which use the software.
Thomas Riedmaier of Siemens Energy discovered the flaw, which affects versions 20.7.0.0 and earlier.
In an industrial control systems advisory published in late June, the Cybersecurity and Infrastructure Security Agency says the tool is widely used in critical manufacturing.
The impact of the exploitation varies based on where the license server is deployed and what access it provides. PTC said it has “no indication nor has been made aware that this vulnerability has or is being exploited.”
Riedmaier told SecurityWeek that the affected license server is typically not exposed to the internet, so an attacker would need to already have access to an organization’s network to exploit the flaw.