OpcfoundationCVEs & Vulnerabilities

26 CVEs affecting Opcfoundation products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

ua .net standard stack 9ua-.netstandard 6ua-.net-legacy 5local discovery server 3unified architecture .net-standard 2ua-java 2ua java legacy 1netstandard.opc.ua 1
CVE-2024-42513MEDIUM

Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.

10 Feb 2025
5.3
CVSS
CVE-2024-42512HIGH

Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.

10 Feb 2025
8.6
CVSS
CVE-2023-27321HIGH

OPC Foundation UA .NET Standard ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20505.

8 May 2024
7.5
CVSS
CVE-2023-31048MEDIUM

The OPC UA .NET Standard Reference Server before 1.4.371.86. places sensitive information into an error message that may be seen remotely.

12 Dec 2023
5.3
CVSS
CVE-2023-32787HIGH

The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to block OPC UA server applications via uncontrolled resource consumption so that they can no longer serve client applications.

15 May 2023
7.5
CVSS
CVE-2022-44725HIGH

OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user).

18 Nov 2022
7.8
CVSS
CVE-2022-33916HIGH

OPC UA .NET Standard Reference Server 1.04.368 allows a remote attacker to cause the application to access sensitive information.

23 Aug 2022
7.5
CVSS
CVE-2022-29866HIGH

OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to exhaust the memory resources of a server via a crafted request that triggers Uncontrolled Resource Consumption.

16 Jun 2022
7.5
CVSS
CVE-2022-29864HIGH

OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to cause a server to crash via a large number of messages that trigger Uncontrolled Resource Consumption.

16 Jun 2022
7.5
CVSS
CVE-2022-29863HIGH

OPC UA .NET Standard Stack 1.04.368 allows remote attacker to cause a crash via a crafted message that triggers excessive memory allocation.

16 Jun 2022
7.5
CVSS
CVE-2022-29865HIGH

OPC UA .NET Standard Stack allows a remote attacker to bypass the application authentication check via crafted fake credentials.

16 Jun 2022
7.5
CVSS
CVE-2022-29862HIGH

An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.

16 Jun 2022
7.5
CVSS
CVE-2022-30551HIGH

OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages that exhaust available resources.

20 May 2022
7.5
CVSS
CVE-2021-45117MEDIUM

The OPC autogenerated ANSI C stack stubs (in the NodeSets) do not handle all error cases. This can lead to a NULL pointer dereference.

21 Mar 2022
6.5
CVSS
CVE-2021-40142HIGH

In OPC Foundation Local Discovery Server (LDS) before 1.04.402.463, remote attackers can cause a denial of service (DoS) by sending carefully crafted messages that lead to Access of a Memory Location After the End of a Buffer.

27 Aug 2021
7.5
CVSS
CVE-2021-27432HIGH

OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.

20 May 2021
7.5
CVSS
CVE-2020-29457MEDIUM

A Privilege Elevation vulnerability in OPC UA .NET Standard Stack 1.4.363.107 could allow a rogue application to establish a secure connection.

16 Feb 2021
4.4
CVSS
CVE-2020-8867HIGH

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.

23 Apr 2020
7.5
CVSS
CVE-2019-19135HIGH

In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.

16 Mar 2020
7.4
CVSS
CVE-2018-12087MEDIUM

Failure to validate certificates in OPC Foundation UA Client Applications communicating without security allows attackers with control over a piece of network infrastructure to decrypt passwords.

3 Oct 2018
5.3
CVSS
CVE-2018-12585HIGH

An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.

15 Sep 2018
8.2
CVSS
CVE-2018-12086HIGH

Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.

15 Sep 2018
7.5
CVSS
CVE-2017-12070HIGH

Unsigned versions of the DLLs distributed by the OPC Foundation may be replaced with malicious code.

14 Jun 2018
8.8
CVSS
CVE-2018-7559MEDIUM

An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.

13 Jun 2018
5.3
CVSS
CVE-2017-17443MEDIUM

OPC Foundation Local Discovery Server (LDS) 1.03.370 required a security update to resolve multiple vulnerabilities that allow attackers to trigger a crash by placing invalid data into the configuration file. This vulnerability requires an attacker with access to the file system where the configuration file is stored; however, if the configuration file is altered the LDS will be unavailable until it is repaired.

13 Jun 2018
6.5
CVSS
CVE-2017-11672HIGH

The OPC Foundation Local Discovery Server (LDS) before 1.03.367 is installed as a Windows Service without adding double quotes around the opcualds.exe executable path, which might allow local users to gain privileges.

13 Jun 2018
7.8
CVSS
← PrevPage 1 / 1Next →