Beckhoff TwinCAT 3 Engineering Deserialization Vulnerability Allowing Arbitrary Command Execution

A deserialization vulnerability has been identified in Beckhoff's TwinCAT 3 Engineering software, affecting versions prior to 3.1.4024.67. This vulnerability allows an unauthenticated attacker to manipulate project files in such a way that, when opened by a local user using the affected engineering tool, arbitrary commands are executed in the user's context. The issue arises because TwinCAT 3 Engineering executes commands based on settings stored in 'Solution User Options' files, which can be crafted by an adversary. Notably, older versions of TwinCAT 3 Engineering can be installed alongside newer ones, potentially leading to exploitation if a vulnerable version is used to open a manipulated project.

Impact

Exploitation of this vulnerability could result in arbitrary command execution on the affected system, carried out in the context of the user who opens the manipulated project file.

Remediation

Users are advised to update to the latest version of TwinCAT 3 Engineering and to uninstall any older versions. Additionally, projects should be unpinned from older TwinCAT 3 Engineering versions to prevent automatic switching to a vulnerable version.