CVE-2023-39479 in Secure Integration Server
Summary
by MITRE • 05/03/2024
Softing Secure Integration Server OPC UA Gateway Directory Creation Vulnerability. This vulnerability allows remote attackers to create directories on affected installations of Softing Secure Integration Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the handling of FileDirectory OPC UA Objects. The issue results from allowing unauthorized access to the filesystem. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20548.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/12/2025
The CVE-2023-39479 vulnerability represents a critical directory creation flaw in Softing Secure Integration Server OPC UA Gateway that fundamentally undermines the security boundaries of industrial control systems. This vulnerability resides within the FileDirectory OPC UA Objects handling mechanism, where the software fails to properly validate directory creation requests. The flaw is particularly concerning because while the system requires authentication to exploit the vulnerability, the authentication mechanism itself contains weaknesses that allow attackers to bypass these protections entirely. The vulnerability falls under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. This weakness creates a direct pathway for attackers to manipulate the file system through the OPC UA interface, which is typically used for secure industrial communication protocols.
The technical exploitation of this vulnerability demonstrates a sophisticated attack vector that leverages the OPC UA protocol's legitimate file system operations to gain unauthorized access. When an authenticated attacker can bypass the authentication checks, they can create directories in locations where they should not have write permissions, effectively breaking the principle of least privilege that is fundamental to industrial security architectures. The ability to create directories in system locations allows attackers to establish persistence mechanisms and potentially deploy malicious code. This vulnerability particularly affects industrial environments where OPC UA gateways serve as critical communication bridges between operational technology and information technology systems. The impact is amplified because OPC UA is widely used in critical infrastructure sectors including manufacturing, energy, and process control where the integrity of the communication gateway directly affects operational safety and security.
The operational impact of this vulnerability extends beyond simple directory creation, as it enables attackers to execute arbitrary code with root privileges, representing a complete compromise of the affected system. This privilege escalation capability stems from the attacker's ability to create directories that can be leveraged to install malicious software or modify existing system components. The vulnerability's exploitation requires an attacker to have some level of access to the system, but the bypass of authentication mechanisms means that even limited access can be escalated to full system control. This represents a significant risk to industrial control systems where unauthorized access can lead to operational disruption, safety hazards, and potential physical damage to equipment. The vulnerability's classification under the ZDI-CAN-20548 identifier indicates it was recognized by the Zero Day Initiative as a serious security concern affecting industrial cybersecurity infrastructure.
Organizations should implement immediate mitigations including network segmentation to limit access to OPC UA services, enforcement of strong authentication mechanisms, and regular monitoring for unauthorized directory creation activities. The vulnerability highlights the importance of following ATT&CK framework's T1059.007 technique for command and script interpreter, as attackers can leverage this vulnerability to establish persistent access through directory creation and subsequent code execution. Security teams should also consider implementing file integrity monitoring solutions that can detect unauthorized file system modifications and directory creation events. Additionally, regular security assessments of OPC UA implementations should be conducted to identify similar authentication bypass vulnerabilities that could be exploited to gain similar levels of system access. The vulnerability underscores the critical need for industrial cybersecurity frameworks to address both network-level and application-level security controls, as the flaw exists within the application's file system handling rather than network protocols.