CVE-2025-1468 in Runtime Toolkitinfo

Summary

by MITRE • 03/18/2025

An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/18/2025

The vulnerability identified as CVE-2025-1468 represents a critical security flaw in CODESYS OPC UA Server implementations that operate with the non-default Basic128Rsa15 security policy. This issue affects industrial control systems and automation environments where OPC UA (Open Platform Communications Unified Architecture) servers are deployed to facilitate communication between industrial devices and monitoring systems. The vulnerability stems from inadequate authentication mechanisms that allow unauthenticated remote attackers to access sensitive information, including authentication credentials and other confidential data. This poses significant risks to operational technology environments where system integrity and data confidentiality are paramount for industrial processes and safety operations.

The technical root cause of this vulnerability lies in the improper implementation of security policies within the CODESYS OPC UA Server software. Specifically, when the Basic128Rsa15 security policy is configured, the server fails to properly enforce authentication requirements for certain communication channels or data access points. This weakness creates an attack vector where remote adversaries can exploit the server without requiring valid credentials to access protected resources. The vulnerability is particularly concerning because it affects a non-default security policy, suggesting that organizations may be running configurations that were not initially intended to be exposed to the public network, yet still contain critical flaws in their implementation. The flaw enables attackers to potentially extract authentication information that could be used for further lateral movement or system compromise within industrial environments.

The operational impact of CVE-2025-1468 extends beyond simple information disclosure to potentially enable full system compromise in industrial control environments. Attackers who successfully exploit this vulnerability could gain access to authentication credentials that would allow them to impersonate legitimate users or systems within the OPC UA network. This access could lead to unauthorized modification of industrial processes, data manipulation, or complete system control, which could result in production disruptions, safety hazards, or financial losses. The vulnerability particularly affects environments using CODESYS software for industrial automation, where OPC UA servers are commonly deployed to connect various industrial devices and control systems. Organizations operating in critical infrastructure sectors such as manufacturing, energy, and process control are especially vulnerable to this type of attack, as the compromised systems could directly impact physical operations and safety protocols.

Mitigation strategies for CVE-2025-1468 should prioritize immediate configuration changes to address the security policy implementation. Organizations should disable or properly configure the Basic128Rsa15 security policy in CODESYS OPC UA Server installations, particularly when these systems are exposed to untrusted networks. The recommended approach involves implementing stronger security policies such as Basic256Sha256 or higher, ensuring that authentication requirements are properly enforced, and limiting network exposure of OPC UA servers through network segmentation and access controls. Additionally, organizations should implement continuous monitoring of OPC UA server communications to detect anomalous access patterns or unauthorized attempts to access sensitive information. This vulnerability aligns with CWE-310 and ATT&CK techniques related to credential access and privilege escalation, emphasizing the need for comprehensive security measures that address both network-level protections and application-level authentication controls. Regular security assessments and vulnerability scanning of industrial control systems should be conducted to identify and remediate similar configuration weaknesses across the operational technology infrastructure.

Responsible

CERTVDE

Reservation

02/19/2025

Disclosure

03/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00564

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!