Claroty researchers in 2020 conducted an extensive analysis of the OPC network protocol prevalent in OT networks worldwide. During that research, Claroty found and privately disclosed critical vulnerabilities in OPC implementations from a number of leading vendors that have built their respective products on top of the protocol stack. The affected vendors sell these products to companies operating in many industries within the ICS domain.
The vulnerabilities discovered by Claroty could be exploited to cause a denial-of-service condition on devices operating on industrial networks, as well as information leaks, and remote code execution. Our research identified weak spots in different OPC specification implementations within different components of the OPC architecture. These components include the OPC server, OPC gateway, and a third-party library implementation of the OPC protocol stack
In this report, we will explain the OPC protocol in depth, its architecture, and common usage in order to gain a deeper understanding of the impact of these vulnerabilities. We will also describe the vulnerabilities we uncovered, and explain the potential threat posed by attackers who exploit these vulnerabilities to take over OPC servers and gateways, and potentially harm manufacturing facilities and production lines.
CWE-15 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING:
A post-authenticated external control of system web interface configuration setting vulnerability exists in the Danfoss AK-SM8xxA Series prior to version 4.3.1, which could allow for a denial-of-service attack induced by improper handling of exceptional conditions.
Danfoss created release R4.3.1 to address CVE-2025-41452.
CVSS v3: 5.4
CWE-77 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('Command Injection'):
Improper neutralization of alarm-to-mail configuration fields used in an OS shell command injection in Danfoss AK-SM8xxA Series, prior to version 4.3.1, may lead to post-authenticated remote code execution on an attacked system.
Danfoss created release R4.3.1 to address CVE-2025-41451.
CVSS v3: 7.6
CWE-617 REACHABLE ASSERTION:
Affected devices do not properly validate input sent to its listening port on the local loopback interface. This could allow an unauthenticated local attacker to cause a denial of service condition.
Users are urged to update to SIMATIC RTLS Locating Manager: V3.3 or later version.
CVSS v3: 6.2
CWE-23 RELATIVE PATH TRAVERSAL:
An 'Arbitary File Deletion' in Samsung DMS (Data Management Server) allows attackers to delete arbitary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 8.1
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
An 'Arbitary File Creation' in Samsung DMS (Data Management Server) allows attackers to create arbitary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.
Samsung recommends users to contact a Samsung call center or installer for a software update.
This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."
CVSS v3: 7.2
