{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Embedded PC Images", "vendor": "Beckhoff", "versions": [ { "lessThan": "October 22, 2014", "status": "affected", "version": "0", "versionType": "custom" } ] }, { "defaultStatus": "unaffected", "product": "TwinCAT Components featuring Automation Device Specification (ADS) communication", "vendor": "Beckhoff", "versions": [ { "status": "affected", "version": "All" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Gregor Bonney from FH Aachen University of Applied Sciences" } ], "datePublic": "2016-10-04T06:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "
Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.
" } ], "value": "Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-307", "description": "CWE-307", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-11-04T23:09:34.639Z" }, "references": [ { "name": "93349", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/93349" }, { "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf" }, { "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf" }, { "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf" }, { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-16-278-02" }, { "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2016/icsa-16-278-02.json" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Beckhoff recommends in their IPC Security Manual \n(https://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf)\n to use network and software firewalls to block all network ports except\n the ones that are needed. Beckhoff also recommends that default \npasswords be changed during commissioning before connecting systems to \nthe network.
\nIn their advisories (Advisory 2014-001: Potential \nmisuse of several administrative services, \nhttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf. Advisory 2014-002: ADS communication port allows password bruteforce, \nhttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf. Advisory2014-003: Recommendation to change default passwords, \nhttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf which were published November \n17, 2014) for these issues, Beckhoff also recommends the following \nmitigation solutions:
\n