CVE-2023-29444 - Vulnerability Details - OpenCVE

An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Ptc	Kepware Kepserverex Thingworx Industrial Connectivity Thingworx Kepware Server

Configuration 1 [-]

cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03
https://www.ptc.com/en/support/article/cs399528

History

Wed, 14 May 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Dragos

Published: 2024-01-10T17:06:35.965Z

Updated: 2025-05-14T20:14:19.414Z

Reserved: 2023-04-06T17:45:40.441Z

Link: CVE-2023-29444

Vulnrichment

Updated: 2024-08-02T14:07:46.269Z

NVD

Status : Modified

Published: 2024-01-10T17:15:08.493

Modified: 2024-11-21T07:57:04.190

Link: CVE-2023-29444

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29444", "assignerOrgId": "12bdf821-1545-4a87-aac5-61670cc6fcef", "state": "PUBLISHED", "assignerShortName": "Dragos", "dateReserved": "2023-04-06T17:45:40.441Z", "datePublished": "2024-01-10T17:06:35.965Z", "dateUpdated": "2025-05-14T20:14:19.414Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Kepware KEPServerEX", "vendor": "PTC", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "0"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "ThingWorx Kepware Server", "vendor": "PTC", "versions": [{"lessThanOrEqual": "6.14.263.0", "status": "affected", "version": "0", "versionType": "0"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "ThingWorx Industrial Connectivity", "vendor": "PTC", "versions": [{"lessThanOrEqual": "8.5", "status": "affected", "version": "8.0", "versionType": "0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Sam Hanson of Dragos"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution."}], "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "12bdf821-1545-4a87-aac5-61670cc6fcef", "shortName": "Dragos", "dateUpdated": "2024-01-10T17:06:35.965Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03"}, {"tags": ["vendor-advisory"], "url": "https://www.ptc.com/en/support/article/cs399528"}], "source": {"discovery": "EXTERNAL"}, "title": "Uncontrolled Search Path Element in PTC's Kepware KEPServerEX", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:07:46.269Z"}, "title": "CVE Program Container", "references": [{"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ptc.com/en/support/article/cs399528"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T20:14:08.179087Z", "id": "CVE-2023-29444", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T20:14:19.414Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03", "tags": ["government-resource", "x_transferred"]}, {"url": "https://www.ptc.com/en/support/article/cs399528", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:07:46.269Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-29444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-14T20:14:08.179087Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T20:14:12.449Z"}}], "cna": {"title": "Uncontrolled Search Path Element in PTC's Kepware KEPServerEX", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Sam Hanson of Dragos"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PTC", "product": "Kepware KEPServerEX", "versions": [{"status": "affected", "version": "0", "versionType": "0", "lessThanOrEqual": "6.14.263.0"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "PTC", "product": "ThingWorx Kepware Server", "versions": [{"status": "affected", "version": "0", "versionType": "0", "lessThanOrEqual": "6.14.263.0"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "PTC", "product": "ThingWorx Industrial Connectivity", "versions": [{"status": "affected", "version": "8.0", "versionType": "0", "lessThanOrEqual": "8.5"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03", "tags": ["government-resource"]}, {"url": "https://www.ptc.com/en/support/article/cs399528", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution.", "supportingMedia": [{"type": "text/html", "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "12bdf821-1545-4a87-aac5-61670cc6fcef", "shortName": "Dragos", "dateUpdated": "2024-01-10T17:06:35.965Z"}}}, "cveMetadata": {"cveId": "CVE-2023-29444", "state": "PUBLISHED", "dateUpdated": "2025-05-14T20:14:19.414Z", "dateReserved": "2023-04-06T17:45:40.441Z", "assignerOrgId": "12bdf821-1545-4a87-aac5-61670cc6fcef", "datePublished": "2024-01-10T17:06:35.965Z", "assignerShortName": "Dragos"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE266C92-959F-41CE-A8DA-DC3D336BC169", "versionEndIncluding": "6.14.263.0", "versionStartIncluding": "6.0.2107.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "99455409-195C-418C-A227-E9C67E70C2F3", "versionEndIncluding": "6.14.263.0", "versionStartIncluding": "6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*", "matchCriteriaId": "10F80877-E2FA-4800-B4EB-BC87E35A9441", "versionEndIncluding": "8.5", "versionStartIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An uncontrolled search path element vulnerability (DLL hijacking) has been discovered that could allow a locally authenticated adversary to escalate privileges to SYSTEM. Alternatively, they could host a trojanized version of the software and trick victims into downloading and installing their malicious version to gain initial access and code execution."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de elemento de ruta de b\u00fasqueda no controlada (secuestro de DLL) que podr\u00eda permitir a un adversario autenticado localmente escalar privilegios a SYSTEM. Alternativamente, podr\u00edan alojar una versi\u00f3n con troyano del software y enga\u00f1ar a las v\u00edctimas para que descarguen e instalen su versi\u00f3n maliciosa para obtener acceso inicial y ejecuci\u00f3n del c\u00f3digo."}], "id": "CVE-2023-29444", "lastModified": "2024-11-21T07:57:04.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 5.9, "source": "ot-cert@dragos.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-10T17:15:08.493", "references": [{"source": "ot-cert@dragos.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03"}, {"source": "ot-cert@dragos.com", "tags": ["Vendor Advisory"], "url": "https://www.ptc.com/en/support/article/cs399528"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.ptc.com/en/support/article/cs399528"}], "sourceIdentifier": "ot-cert@dragos.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "ot-cert@dragos.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}]}