CVE-2023-29447: 
PTC KEPServerEX vulnerability analysis and mitigation

An insufficiently protected credentials vulnerability (CVE-2023-29447) was identified in KEPServerEX, affecting versions 6.14.263.0 and prior of Kepware KepServerEX, ThingWorx Kepware Server, and ThingWorx Industrial Connectivity versions 8.0 to 8.5. The vulnerability was discovered and reported by Sam Hanson of Dragos to CISA (CISA Advisory, NVD).

The vulnerability stems from the KEPServerEX Configuration web server's use of basic authentication to protect user credentials. It has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N according to NVD's assessment, while Dragos assigned a slightly higher score of 5.7 (MEDIUM) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) (NVD).

Successful exploitation of this vulnerability could allow an adversary to capture user credentials through man-in-the-middle (MitM) attacks via ARP spoofing, potentially leading to unauthorized access to the web server's plaintext credentials (CISA Advisory).

PTC has acknowledged the vulnerability and planned to address these issues by November 2023. In the interim, CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the internet, locating control system networks behind firewalls, isolating them from business networks, and using secure methods like VPNs when remote access is required (CISA Advisory).