CD_SVA_2025_01: zenon Remote Transport Vulnerability

CD_SVA_2025_01: zenon Remote Transport Vulnerability

What you should know

  1. The vulnerability targets a specific function of the zenon Remote Transport Service.
  2. The underlying weaknesses is CWE-306: ‘Missing Authentication for Critical Function’.
  3. The versions listed below are affected by this vulnerability.
  4. All zenon versions before zenon 15 are affected by this vulnerability.

Summary

During an external penetration test, a vulnerability in the zenon Remote Transport Service was found.
The vulnerability allows the use of the Reboot OS functionality of the Remote Transport Service without proper authentication. The Reboot OS functionality prompts a reboot of the target machine. The vulnerability is not exploitable remotely without having first gained access to the network where the target zenon machine resides.
At the time of writing, there is no evidence that this vulnerability is being actively exploited in the wild.
COPA-DATA has fixed the vulnerability in the versions listed under Patch Availability.

Please consult the accompanying CSAF “cd-20250002.json” or the "CD_SVA_2025_1.pdf" for further information.

Impact Analysis

After investigating the issue, we confirm that the zenon Software Platform versions specified in this document are affected by this vulnerability.
The CVSS score is the following: 7.5
The CVSS vector is the following: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Mitigations

The following mitigations can be applied:
  1. Block access to the zensyssrv.exe service via the host’s firewall.
  2. If the zenon Software Platform version support it, it is possible to restrict the access to "localhost only" via the zenon Startup Tool.
  3. The zensysrv.exe can be terminated or stopped if the Remote Transport Service is not needed.

Patch Availability

Update to one of the following versions:
  1. The zenon Software Platform version 14 build 350309 and higher.
  2. The zenon Software Platform version 12 build 352417 and higher.
  3. The zenon Software Platform version 11 build 383048 and higher.
  4. The zenon Software Platform version 10 build 348998 and higher.
  5. The zenon Software Platform version 8.20 build 381546 and higher.

General Recommendations

  1. COPA-DATA recommends installing only the Service Engine component on production systems and to install the Engineering Studio on a separate dedicated Engineering station. Physical, local access to systems with the zenon Software Platform should be restricted to authorized users only in an environment with physical access control measures in place.
  2. COPA-DATA recommends that system integrators and asset owners perform their own risk assessment, to establish whether the updated version of the zenon Software Platform shall be installed.
  3. COPA-DATA recommends keeping the operating system and software up to date.
  4. COPA-DATA recommends assessing the updated version of the zenon Software Platform in a test environment, to verify normal operation of the system according to project specific configuration and hardware environment, prior to installing the updated version of the zenon Software Platform in a production environment.
  5. COPA-DATA recommends that a contingency plan is in place to roll back the installation of the updated version of the zenon Software Platform, in case of any unexpected issues with the production environment following the installation of the patch.