Seven critical vulnerabilities have been found that could let hackers remotely execute malicious code and take full control of devices, access sensitive data or alter configurations in impacted devices.

Known as Access Seven, the vulnerabilities were found by Forescout’s Vedere Labs, in partnership with CyberMDX, and affect PTC’s Axeda agent. Three of the vulnerabilities were rated critical by the Cybersecurity & Infrastructure Security Agency (CISA).

The CISA has released an industrial controls systems advisory (ICSA) detailing the vulnerabilities in PTC’s Axeda agent and desktop server. Successful exploitation of these vulnerabilities could result in full system access, remote code execution, read-change configuration, file system read access, log information access or a denial-of-service condition.

The Axeda agent lets device manufacturers remotely access and manage connected devices. The affected agent is most popular in healthcare but is also present in other industries, such as financial services and manufacturing. A list of more than 150 potentially affected devices from over 100 vendors highlights the significance of the vulnerabilities. The list contains several medical imaging and laboratory devices.

IoT devices use a wide variety of operating systems, hardware and software. Typically, IoT manufacturers do not allow customers to install software, including security agents, on their devices. In the case of Access Seven, PTC depends on IoT manufacturers to install the Axeda agent before their IoT devices are sold to customers in what is typically called an original equipment manufacturer (OEM) approach.

Axeda has released patches for all the vulnerabilities.

Using anonymised user data in the Vedere Labs Global Cyber Intelligence Dashboard, Forescout has seen more than 2000 unique devices running Axeda on their networks.

“By examining these sources, we could learn about the potential impact of the vulnerabilities,” said Daniel dos Santos, head of security research at Vedere Labs.

Axeda was developed as a cloud platform for IoT devices, therefore it is found in a variety of applications beyond healthcare. Vulnerable devices used in other industries include ATMs, vending machines, cash management systems, label printers, barcode scanning systems, scada systems, asset monitoring and tracking, IoT gateways, and machines such as industrial cutters.

Complete protection against Access Seven requires patching devices running the vulnerable versions of the Axeda components. PTC has released its official patches, and device manufacturers using this software should provide their own updates to their customers.

For network operators, Forescout recommends:

• Discover and inventory devices running Axeda.
• Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths and isolate or contain vulnerable devices in zones if they cannot be patched or until they can be patched. In particular, consider blocking one or more of the vulnerable ports for use on any of the affected devices.
• Monitor progressive patches released by affected device manufacturers and devise a remediation plan for vulnerable asset inventory, balancing business risk and business continuity requirements.
• Monitor all network traffic for malicious packets that try to exploit these vulnerabilities. Block known malicious traffic or at least alert network operators of its presence.

With the recent acquisition of CyberMDX, Forescout healthcare customers can use CyberMDX to identify vulnerable medical and IoT devices. This automatically detects the medical assets within the network and organises them in an accessible inventory listing.