CVE-2020-12510

Beckhoff: Privilege Escalation through TwinCat System

Description

The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default Beckhoff’s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.

Remediation

Solution:

  • Please consider to choose “C:\Program Files\TwinCAT” during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator. Please mind that already installed projects underneath C:\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\TwinCAT at the end of this sequence. This will also prevent confusion.

Category

7.3
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.21%
Third-Party Advisory vde.com
Affected: Beckhoff TwinCat XAR 3.1
Published at:
Updated at:

References

Link Tags
https://cert.vde.com/en-us/advisories/vde-2020-037 third party advisory

Frequently Asked Questions

What is the severity of CVE-2020-12510?
CVE-2020-12510 has been scored as a high severity vulnerability.
How to fix CVE-2020-12510?
To fix CVE-2020-12510: Please consider to choose “C:\Program Files\TwinCAT” during installation of TwinCAT 3.1. If you have installed it already then please uninstall and re-install it with the changed path. Please use the custom installation for this. That will automatically protect the binaries such that they can only be modified by an administrator. Please mind that already installed projects underneath C:\TwinCAT need to be moved. It is recommended to perform a backup of the complete device before such action. For security reasons, please remove the former content of C:\TwinCAT at the end of this sequence. This will also prevent confusion.
Is CVE-2020-12510 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-12510 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-12510?
CVE-2020-12510 affects Beckhoff TwinCat XAR 3.1.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.