The PTC Creo Elements/Direct License Server has a critical vulnerability identified as CVE-2024-6071. This flaw allows unauthenticated remote attackers to execute arbitrary OS commands, posing a severe risk to systems using affected versions of the software. The vulnerability, which has a CVSS v4 score of 10.0, is linked to missing authorization in the web interface of the license server.
Affected versions include Creo Elements/Direct Drafting, Model Manager/Drawing Manager, Modeling, and WorkManager, as well as the Creo Elements/Direct License Server (MEls) up to version 20.7.0.0. The issue does not impact the PTC Creo License Server but remains a significant concern due to its potential for remote exploitation.
To mitigate this risk, PTC recommends upgrading to Creo Elements/Direct License Server version 20.7.0.1 or later. Organizations should also adopt additional defensive measures such as minimizing network exposure, using firewalls, and employing secure remote access methods like VPNs. Proper impact analysis and risk assessment should be conducted before implementing these strategies.
CISA has advised users to stay informed about cybersecurity best practices and to report any suspicious activity. While no public exploits targeting this vulnerability have been reported, following these recommendations is crucial for protecting industrial control systems and mitigating potential threats.