Beckhoff: Relative path traversal vulnerability through TwinCAT OPC UA Server
CVE-2021-34594

6.5MEDIUM

Key Information:

Vendor: Beckhoff Automation
Status: Twincat Opc Ua Server
Vendor: CVE Published:; 4 November 2021

🔔 Create Beckhoff Automation Vulnerability Alert

What is CVE-2021-34594?

TwinCAT OPC UA Server in TF6100 and TS6100 in product versions before 4.3.48.0 or with TcOpcUaServer versions below 3.2.0.194 are prone to a relative path traversal that allow administrators to create or delete any files on the system.

Affected Version(s)

TwinCAT OPC UA Server TF6100 < 4.3.48.0

TwinCAT OPC UA Server TS6100 < 4.3.48.0

TwinCAT OPC UA Server TcOpcUaServer version < 3.2.0.19423

References

https://cert.vde.com/en/advisories/VDE-2021-051/

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2021
Vulnerability Reserved
Jun 10, 2021

Credit

Beckhoff Automation thanks Johannes Olegård, Emre Süren, and Robert Lagerström for reporting the issue and for support and efforts with the coordinated disclosure.