PTC warns of critical flaw in Creo Elements/Direct License Server
Take action: If you are using PTC Creo Elements/Direct License Server, first make sure it's not accessible from the internet and it's isolated in a trusted network. Then plan to patch it. Don't avoid this patch, it's trivially exploitable once a hacker gets visibility of the web interface.
Learn More
PTC Inc. (formerly Parametric Technology Corporation) reports a critical flaw in their Creo Elements/Direct License Server.
The PTC Creo Elements/Direct License Server is a component used to manage licensing for the Creo Elements/Direct suite, which includes various CAD (computer-aided design) software products such as Creo Elements/Direct Modeling, Drafting, Model Manager, and WorkManager. These products are used in manufacturing and engineering sectors for tasks ranging from 3D modeling to drafting and managing engineering data.
The vulnerability is tracked as CVE-2024-6071 (CVSS score 10.0) - it's a missing authorization flaw exploitable remotely with low attack complexity. The web interface of the Creo Elements/Direct License Server can be exploited by unauthenticated remote attackers to execute arbitrary OS commands.
The vulnerability impacts Creo Elements/Direct License Server: Version 20.7.0.0 and prior
- Creo Elements/Direct Drafting
- Creo Elements/Direct Model/Drawing Manager
- Creo Elements/Direct Modeling
- Creo Elements/Direct WorkManager
