(Updated 08 March, 2022)
Vision RT is aware of Axeda vulnerabilities that have just been published.
More information on these vulnerabilities can be found here https://www.ptc.com/en/support/article/CS363561 and the table below
||The Axeda xGate.exe agent allows for unrestricted file system read access via a directory traversal on its web server.
||The Axeda xGate.exe agent can be shut down remotely by an unauthenticated attacker via an undocumented command.
||The Axeda xGate.exe agent supports a set of unauthenticated commands to retrieve information about a device and modify the agent’s configuration.
||The AxedaDesktopServer.exe service uses hard-coded credentials to enable full remote control of a device.
||The ERemoteServer.exe service exposes a live event text log to unauthenticated attackers.
||The ERemoteServer.exe service allows for full file-system access and remote code execution.
||All Axeda services using xBase39.dll can be crashed due to a buffer overflow when processing requests.
These vulnerabilities may exist on some Vision RT Systems, especially those installed prior to May 2020 which have been configured for remote access support from Vision RT.
The majority of systems under service contracts with Vision RT will not have Axeda installed, as this functionality was superseded by N-able.
We will be emailing our customers with details on how to determine if their Vision RT system(s) are vulnerable, and if so, how to fix the issue.
If you are a Vision RT customer, and you have not received this email, please email firstname.lastname@example.org and we’ll send you a copy. Alternatively, you may find more information on this topic on: https://www.myvisionrt.com including details on how to check and secure your system.
If you need assistance in performing vulnerability checks, or about how to implement the steps needed to secure your systems, please contact Vision RT support via the customer support helpdesk https://www.visionrt.com/customer-support/ or reach out directly to your regional engineers & Clinapps specialists.
If you wish to check the validity of any email that appears to be sent by Vision RT, contact email@example.com.