The vulnerability is remotely exploitable by sending a malformed .NET remote procedural call packet to cause a denial of service through Port 58723/TCP, explained the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an advisory.
All versions of OPC Systems.NET prior to version 5.0 are affected. There are public exploits that target this vulnerability, which requires a moderate skill level to exploit, the advisory said.
OPC Systems.NET is a human-machine interface application that is deployed across several sectors, including manufacturing, information technology, energy, water and wastewater, defense, and others.
Researcher Luigi Auriemma publicly reported the vulnerability in OPC Systems.NET along with proof-of-concept exploit code. This report was released without coordination with Open Automation Software, ICS-CERT, or any other coordinating entity known to ICS-CERT, the advisory noted.
ICS-CERT worked with Open Automation Software to fix the security hole, a fix which Auriemma has confirmed is effective, the advisory said.