CVE-2023-29446: 
PTC KEPServerEX vulnerability analysis and mitigation

An improper input validation vulnerability (CVE-2023-29446) was discovered in PTC's Kepware KepServerEX, ThingWorx Kepware Server (versions up to 6.14.263.0), and ThingWorx Industrial Connectivity (versions 8.0 to 8.5). The vulnerability was disclosed in January 2024 and affects the project file handling functionality of the software (CISA Advisory, NVD).

The vulnerability allows an adversary to inject a UNC (Universal Naming Convention) path via a malicious project file. This vulnerability is classified as CWE-20 (Improper Input Validation) and has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. The attack requires local access and user interaction, but no privileges, with high attack complexity (CISA Advisory).

Successful exploitation of this vulnerability allows an adversary to capture NTLMv2 hashes, which could potentially be cracked offline. This could lead to unauthorized access to system resources and potential compromise of user credentials (CISA Advisory, Dragos Advisory).

PTC has acknowledged the vulnerability and developed patches to address it. Users are recommended to follow the directions in the secure configuration documentation and implement standard defensive measures including minimizing network exposure, using firewalls to isolate control system networks from business networks, and employing secure remote access methods like VPNs when necessary (CISA Advisory).