Cyber Resilience

CVE-2023-0755

Critical

Published: 23 February 2023

Published
23 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0818 92.4th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0755 is a critical-severity Improper Validation of Array Index (CWE-129) vulnerability in Ge Digital Industrial Gateway Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-0755 is an improper array index validation vulnerability, tracked under CWE-129, that affects certain unspecified industrial control system products. The flaw carries a CVSS 3.1 base score of 9.8 and can cause the server to crash or permit remote arbitrary code execution.

An unauthenticated attacker can exploit the issue over the network without user interaction or credentials, resulting in complete loss of confidentiality, integrity, and availability on the affected system.

The associated CISA advisory ICSA-23-054-01 outlines mitigation steps for the impacted products. The EPSS score has remained flat at 0.0818 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ge
digital industrial gateway server
≤ 7.612
ptc
kepware server
≤ 6.12
ptc
kepware serverex
≤ 6.12
ptc
thingworx .net-sdk
≤ 5.8.4.971
ptc
thingworx edge c-sdk
≤ 2.2.12.1052
ptc
thingworx edge microserver
≤ 5.4.10.0
ptc
thingworx industrial connectivity
all versions
ptc
thingworx kepware edge
≤ 1.5
rockwellautomation
kepserver enterprise
≤ 6.12

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References