CVE-2024-6071

Name of the Vulnerable Software and Affected Versions PTC Creo Elements/Direct License Server versions 20.7.0.0 and earlier

Description The PTC Creo Elements/Direct License Server exposes a web interface that can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server. This issue is related to a buffer overflow in dynamic memory. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary code. The vulnerable License Server provides a web interface that can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server. This vulnerability can lead to lateral movement in industrial organizations, and the product is used worldwide, including in critical manufacturing sectors. However, PTC noted that they have no indications and were not aware of this vulnerability being exploited or previously exploited.

Recommendations For versions 20.7.0.0 and earlier, update to version 20.7.0.1 or later, which includes the patch for this issue. As a temporary workaround, consider restricting access to the License Server's web interface to minimize the risk of exploitation. Avoid using the License Server in an environment where it can be accessed by unauthenticated remote attackers.