CyberHappenings logo
☰

OPC UA Protocol Vulnerabilities Exposed at DEF CON 33

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

Researcher Tom Tervoort presented vulnerabilities in the OPC UA protocol at DEF CON 33. OPC UA, widely used in industrial settings, has cryptographic flaws that allow attackers to bypass authentication and potentially compromise industrial systems. The vulnerabilities affect multiple vendors and have been addressed through patches and configuration changes. The OPC UA protocol, introduced in 2006, is used in operational technology (OT) settings and as a bridge between OT and IT/cloud environments. Its cryptographic design, while redundant, contains exploitable holes that can be leveraged by attackers to compromise industrial systems. Tervoort's research revealed several vulnerabilities, including issues with message formatting and the use of deprecated encryption standards. These flaws can be exploited to bypass authentication and secure channel handshakes, potentially leading to unauthorized access and control of industrial systems.

Timeline

  1. 11.08.2025 19:08 📰 1 articles

    OPC UA Protocol Vulnerabilities Disclosed at DEF CON 33

    Researcher Tom Tervoort presented vulnerabilities in the OPC UA protocol at DEF CON 33. The protocol, used in industrial settings, has cryptographic flaws that allow attackers to bypass authentication and potentially compromise industrial systems. The vulnerabilities affect multiple vendors and have been addressed through patches and configuration changes. The research revealed that the protocol's cryptographic design is redundant and contains exploitable holes. These issues can be mitigated by disabling certain features and applying vendor patches. The OPC Foundation assisted in disclosing the vulnerabilities to relevant vendors and implementing fixes.

    Show sources

Information Snippets

Similar Happenings

Active exploitation of TP-Link TL-WA855RE Wi-Fi range extender vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a missing authentication vulnerability in TP-Link TL-WA855RE Wi-Fi range extender products. The flaw, tracked as CVE-2020-24363, allows attackers on the same network to send unauthenticated requests for a factory reset and reboot, potentially gaining administrative access. The vulnerability was disclosed in August 2020 and has been resolved by TP-Link in firmware updates. However, the product is now discontinued, and users are advised to discontinue its use. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it by September 23, 2025. On September 4, 2025, CISA added two additional TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its KEV catalog, noting evidence of active exploitation. These vulnerabilities affect multiple TP-Link router models, some of which have reached end-of-life status. TP-Link released firmware updates in November 2024 to address these issues, but recommends upgrading to newer hardware for enhanced protection.

Apple zero-day flaw in Image I/O framework exploited in targeted attacks

Apple has patched a zero-day vulnerability in the Image I/O framework (CVE-2025-43300) exploited in targeted attacks. The flaw, an out-of-bounds write issue, could lead to memory corruption or remote code execution. The vulnerability affects multiple iOS, iPadOS, and macOS versions. Apple has released updates for iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. The flaw was exploited in sophisticated attacks against specific individuals. The vulnerability impacts a wide range of devices, including iPhone XS and later, various iPad models, and Macs running macOS Sequoia, Sonoma, and Ventura. Users are advised to update their devices immediately to mitigate the risk. The flaw was discovered internally by Apple and addressed with improved bounds checking. Apple has fixed a total of seven zero-days exploited in real-world attacks since the start of the year. The attacker's identity and specific targets remain unknown, but the vulnerability was likely weaponized as part of highly targeted attacks. The attacks have been described as 'extremely sophisticated,' suggesting nation-state involvement or spyware activity. Apple has previously disclosed other zero-day vulnerabilities this year, including CVE-2025-24200 and CVE-2025-43200, which were also exploited in targeted attacks. WhatsApp has patched a security vulnerability in its iOS and macOS messaging clients that was exploited in targeted zero-day attacks. The flaw (tracked as CVE-2025-55177) affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The vulnerability, in combination with the Apple zero-day flaw (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users. The flaw is an insufficient authorization of linked device synchronization messages. WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177. The attacks impacted both iPhone and Android users, including civil society individuals. WhatsApp sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the WhatsApp vulnerability (CVE-2025-55177) to its Known Exploited Vulnerabilities (KEV) catalog. The WhatsApp flaw was exploited as part of a highly-targeted spyware campaign by chaining it with the Apple zero-day flaw (CVE-2025-43300). Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.

ReVault vulnerability in Dell Control Vault firmware disclosed

A critical security flaw, dubbed ReVault, has been discovered in the Control Vault firmware used in millions of Dell Latitude and Precision laptops. This vulnerability allows unauthorized access to secure peripherals, such as fingerprint and smart card readers, potentially enabling attackers to extract secret keys and bypass authentication mechanisms. The flaw affects the control board managing secure peripherals, allowing any user on the machine to send undocumented commands. This can lead to code execution, extraction of secret keys, and permanent modification of the firmware, persisting even after reinstalling the operating system. The ReVault vulnerability consists of five CVEs, three of which were combined to achieve code execution and firmware modification. Dell and Broadcom have released patches to address the vulnerability, emphasizing the importance of firmware security and thorough analysis of embedded systems.

N-able N-central Insecure Deserialization and Command Injection Vulnerabilities Exploited

Two vulnerabilities in N-able N-central, an RMM platform for MSPs, are being actively exploited. The flaws, CVE-2025-8875 and CVE-2025-8876, allow for command execution and command injection. N-able released patches in versions 2025.3.1 and 2024.6 HF2 on August 13, 2025. The U.S. CISA added these vulnerabilities to its KEV catalog, urging agencies to apply fixes by August 20, 2025. The vulnerabilities require authentication to exploit, and exploitation has been observed in a limited number of on-premises environments. N-able has not seen evidence of exploitation in its hosted cloud environments. The vulnerabilities affect Windows, Apple, and Linux endpoints managed by N-central. Over 800 N-able N-central servers remain unpatched, with approximately 2,000 instances exposed online. Shadowserver Foundation is tracking 880 vulnerable servers, mostly in the U.S., Canada, and the Netherlands. N-able has communicated the hotfix to all N-central customers and has committed to updating customers with additional information as their investigation continues.

Microsoft August 2025 Patch Tuesday Addresses 111 Vulnerabilities, Including Multiple Critical EoP Flaws

Microsoft's August 2025 Patch Tuesday addressed 111 vulnerabilities, with 16 rated Critical, 92 Important, 2 Moderate, and 1 Low in severity. The update includes fixes for 44 elevation-of-privilege (EoP) flaws, 35 remote code execution (RCE) vulnerabilities, 18 information disclosure flaws, 8 spoofing vulnerabilities, and 4 denial-of-service defects. Notable patches include fixes for Azure OpenAI, Windows Kerberos, and Microsoft SQL Server. The update also addresses critical RCE vulnerabilities in SharePoint, Windows Graphics Component, and Microsoft's GDI+ graphics interface, highlighting the need for immediate patching and mitigation strategies. The update is significant for its focus on EoP vulnerabilities, which can allow attackers to escalate privileges post-compromise. Key vulnerabilities include CVE-2025-53767 in Azure OpenAI, CVE-2025-53779 in Windows Kerberos, and multiple flaws in Microsoft SQL Server. Microsoft's September 2025 Patch Tuesday addresses 81 vulnerabilities, including two publicly disclosed zero-day vulnerabilities in Windows SMB Server and Microsoft SQL Server. The update also includes fixes for 38 EoP vulnerabilities, 22 RCE vulnerabilities, 16 information disclosure vulnerabilities, 3 denial of service vulnerabilities, 1 spoofing vulnerability, and 2 security feature bypass vulnerabilities. The KB5065429 cumulative update for Windows 10 22H2 and Windows 10 21H2 includes fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update includes Microsoft's September 2025 Patch Tuesday security updates, which fix two publicly disclosed zero-day vulnerabilities and 81 flaws. Microsoft's September 2025 Patch Tuesday addresses 80 vulnerabilities, including one publicly disclosed vulnerability in Windows SMB. The update includes fixes for 38 EoP vulnerabilities, 22 RCE vulnerabilities, 14 information disclosure vulnerabilities, and 3 denial-of-service vulnerabilities. The update also addresses critical flaws in Azure Networking, Microsoft High Performance Compute (HPC) Pack, and Windows NTLM, among others.