Security Experts:

Connect with us

Hi, what are you looking for?



Details Disclosed for OPC UA Vulnerabilities Exploited at ICS Hacking Competition

Software development and security solutions provider JFrog has disclosed the details of several vulnerabilities affecting the OPC UA protocol, including flaws exploited by its employees at a hacking competition earlier this year.

Software development and security solutions provider JFrog has disclosed the details of several vulnerabilities affecting the OPC UA protocol, including flaws exploited by its employees at a hacking competition earlier this year.

OPC UA (Open Platform Communications United Architecture) is a machine-to-machine communication protocol that is used by many industrial solutions providers to ensure interoperability between various types of industrial control systems (ICS).

JFrog’s researchers discovered several vulnerabilities in OPC UA and disclosed some of them at the Pwn2Own Miami 2022 competition in April, where participants earned a total of $400,000 for hacking ICS.

In the OPC UA server category at Pwn2Own, the maximum prize was $40,000, for bypassing a trusted application check, and participants could earn $20,000 for remote code execution flaws.

The JFrog researchers earned $5,000 for each of two denial-of-service (DoS) exploits targeting the OPC UA .NET Standard server, an open source server used by hundreds of other repositories on GitHub, and the Unified Automation OPC UA C++ demo server.

The two vulnerabilities presented at Pwn2Own can be used to crash the OPC UA server. DoS flaws can have a significant impact in the case of ICS as they can lead to the disruption of critical processes.

JFrog disclosed its findings in a blog post published last week.

In addition, JFrog researchers reported eight other vulnerabilities to Unified Automation. The issues were found in the Unified Automation C++-based OPC UA Server SDK and they were fixed with the release of version 1.7.7 of the SDK.

Learn More About Vulnerabilities in Industrial Products at 

SecurityWeek’s ICS Cyber Security Conference

Two of these vulnerabilities can allow an attacker with elevated privileges to achieve remote code execution on the server. These security holes did not qualify for Pwn2Own due to time and stability constraints, but their details were disclosed last week in a separate blog post by JFrog.

The remote code execution exploits are not stable, but the researchers believe they can be improved.

The technical details disclosed by JFrog could be useful to other researchers who want to analyze the security of the OPC UA industrial stack.

Related: Industrial Firms Informed About Serious Vulnerabilities in Matrikon OPC Product

Related: Many Vulnerabilities Found in OPC UA Industrial Protocol

Related: ICS Vendors Assessing Impact of New OPC UA Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.