CVE-2022-25246 Overview
CVE-2022-25246 is a hardcoded credentials vulnerability affecting PTC Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions). The vulnerability exists in the UltraVNC installation bundled with these products, which uses hard-coded credentials that can be exploited by remote authenticated attackers to gain full control of the host operating system.
Critical Impact
Successful exploitation allows remote authenticated attackers to take complete control of affected systems through the UltraVNC remote access functionality, potentially compromising entire industrial control system (ICS) environments.
Affected Products
- PTC Axeda Agent (All versions)
- PTC Axeda Desktop Server for Windows (All versions)
- Systems utilizing UltraVNC installations bundled with affected Axeda products
Discovery Timeline
- 2022-03-16 - CVE-2022-25246 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-25246
Vulnerability Analysis
This vulnerability is classified under CWE-798 (Use of Hard-Coded Credentials), a configuration and design flaw that occurs when software contains embedded authentication credentials that cannot be changed by administrators. In this case, the PTC Axeda agent and Desktop Server products ship with UltraVNC—a popular remote desktop application—configured with static, unchangeable credentials.
The network-based attack vector means that any authenticated user who can reach the affected system over the network can leverage these known credentials to establish a VNC session. Once connected, the attacker inherits the privileges of the VNC service, typically running with elevated permissions to facilitate remote administration. This grants complete access to view the screen, control input devices, and execute arbitrary commands on the target system.
Root Cause
The root cause of this vulnerability is the inclusion of hard-coded credentials within the UltraVNC component bundled with PTC Axeda products. These credentials are embedded in the software configuration and cannot be modified by end users or administrators, creating a situation where all installations share identical authentication secrets. This design decision likely originated from convenience during development or deployment but creates a critical security weakness in production environments.
Attack Vector
The attack leverages the network-accessible UltraVNC service running on affected Axeda installations. An attacker who has obtained low-privilege network access to the target environment can:
- Identify systems running Axeda agent or Desktop Server through network scanning
- Connect to the UltraVNC service using the publicly known hard-coded credentials
- Gain full remote desktop control of the target system
- Execute commands, access sensitive data, or pivot to other systems in the network
The vulnerability is particularly concerning in industrial control system (ICS) and operational technology (OT) environments where Axeda products are commonly deployed for remote device management and monitoring.
Detection Methods for CVE-2022-25246
Indicators of Compromise
- Unexpected VNC connections to systems running Axeda agent or Desktop Server
- Authentication attempts to UltraVNC services from unauthorized IP addresses
- Unusual remote desktop session activity on ICS/OT network segments
- Network traffic on common VNC ports (5900-5906) from unexpected sources
Detection Strategies
- Monitor network traffic for VNC protocol connections to Axeda-enabled systems
- Implement network intrusion detection rules for UltraVNC authentication patterns
- Audit authentication logs for VNC service access attempts
- Deploy endpoint detection to identify unauthorized remote desktop sessions on affected hosts
Monitoring Recommendations
- Establish baseline network behavior for Axeda-related services and alert on deviations
- Configure SIEM rules to correlate VNC connection attempts with asset inventory of Axeda installations
- Monitor for lateral movement following successful VNC connections
- Implement network segmentation monitoring between IT and OT environments
How to Mitigate CVE-2022-25246
Immediate Actions Required
- Restrict network access to UltraVNC services on affected systems using firewall rules
- Segment networks to isolate Axeda-enabled systems from untrusted network zones
- Disable UltraVNC functionality if remote access is not required for operations
- Implement VPN or jump server requirements for any necessary remote access to affected systems
Patch Information
PTC has released guidance for addressing this vulnerability. Administrators should consult the PTC Support Article CS363561 for specific remediation instructions and updated software versions. Additionally, the CISA ICS Advisory ICSA-22-067-01 provides comprehensive guidance for organizations operating affected products in industrial environments.
Organizations should prioritize upgrading to patched versions of Axeda products or implementing the vendor-recommended workarounds to eliminate the hard-coded credential exposure.
Workarounds
- Implement network-level access controls to restrict connections to UltraVNC ports
- Deploy application whitelisting to prevent unauthorized VNC client connections
- Use network monitoring to detect and block exploitation attempts
- Consider disabling the UltraVNC service entirely if remote desktop functionality is not operationally required
# Network segmentation example - restrict VNC access to management VLAN only
# Firewall rule to block external VNC connections (adjust for your environment)
iptables -A INPUT -p tcp --dport 5900:5906 -s ! 10.0.100.0/24 -j DROP
iptables -A INPUT -p tcp --dport 5900:5906 -s 10.0.100.0/24 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
