October 3, 2023

IoT devices used for commercial applications could be at risk of malicious takeover due to critical vulnerabilities in connected device management platform Axeda.

The RCE flaws could also allow attackers to access sensitive data or reconfigure affected devices. Most devices affected by these, and four other, lower severity bugs collectively dubbed ‘Access:7’ are used for medical applications.


Affected devices are also used for applications such as ATMs, vending machines, cash management systems, label printers, barcode scanning systems, SCADA systems, asset monitoring and tracking solutions, IoT gateways, and industrial cutters.

Forescout, which provides cybersecurity services for the ‘enterprise of things’, said it had identified more than 2,000 devices running Axeda on customer networks.

The two most severe RCE vulnerabilities, with CVSS scores of 9.8, relate to the use of hardcoded credentials by the AxedaDesktopServer.exe service (CVE-2022-25246) and a flaw in the ERemoteServer.exe service allowing for full file system access (CVE-2022-25247).


The issue tracked as CVE-2022-25251 with a CVSS score of 9.4, arose because the Axeda xGate.exe agent permits unauthenticated commands that retrieve information about a device and modify the agent’s configuration.

Medium severity issues include DoS (CVE-2022-25250) and information disclosure via directory traversal (CVE-2022-25249) flaws affecting the Axeda xGate.exe agent; a separate denial of service exploit that causes Axeda services using xBase39.dll to crash (CVE-2022-25252); and an information disclosure bug in the ERemoteServer.exe service (CVE-2022-25248) . Axeda, has patched all seven flaws in Axeda Agent version 6.9.3.

Leave a Reply

%d bloggers like this: