Public reports of vulnerabilities named “Access:7” impact PTC Axeda agent and Axeda Desktop Server, remote asset connectivity software used as part of a cloud based Internet of Things (IoT) platform.
According to a Cybersecurity and Infrastructure Security Agency (CISA) report, these vulnerabilities can impact medical, IoT, and embedded devices dependent on the impacted products.
“Successful exploitation of these vulnerabilities could result in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition,” CISA warned in the advisory.
The vulnerabilities can be exploited remotely with low attack complexity and affects all versions of Axeda agent and Axeda Desktop Server for Windows.
A summary of the Critical findings include:
- CVE-2022-25246: use of hard-coded credentials (CVSS 9.8)
- CVE-2022-25247: missing authentication for critical function (CVSS 9.8)
- CVE-2022-25251: missing authentication for critical function (CVSS 9.8).
Additionally, multiple other High or Medium severity issues were also fixed.
Finally, PTC recommends organizations upgrade systems to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051, as well as Axeda Desktop Server (ADS) to Version 6.9 build 215.