Quote:Thousands of organizations remain at risk from the URGENT/11 and CDPwn collections of vulnerabilities, which affect operational technology (OT) gear and internet of things (IoT), respectively. Unfortunately, there has been a rampant lack of patching, researchers said.
According to researchers at Armis, a whopping 97 percent of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019. And, 80 percent of those devices affected by CDPwn remain unpatched.
URGENT/11 is a collection of 11 different bugs that can affect any connected device leveraging Wind River’s VxWorks that includes an IPnet stack (CVEs from Wind River available here). VxWorks is a real-time operating system (RTOS) that third-party hardware manufacturers have embedded in more than 2 billion devices across industrial, medical and enterprise environments.
Affected devices, including programmable logic controllers from Schneider Electric and Rockwell Automation, are typically used in production and manufacturing environments to carry out various mission-critical tasks, such as monitoring and control of physical devices that operate various instruments (e.g motors, valves, pumps, etc.).
Most concerningly, URGENT/11 includes six remote code-execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets.
“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis, when the bugs were discovered. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”
Read more: https://threatpost.com/unpatched-iot-ot-...re/162275/
![[-]](https://www.geeks.fyi/images/collapse.png)
