Beckhoff's TwinCAT 3.1 Build 4026 software is modularized and is installed with different packages depending on user requirements. These packages are selected and installed using either the command line utility tcpkg or the corresponding graphical user interface called TwinCAT Package Manager. Both use the same configuration that specifies where to load packages from. These locations are called feeds, have preconfigured default settings and can be customized by administrative users, for example to add another local mirror of a package server. When using the TwinCAT Package Manager on a PC, a user with administrative access rights can locally set a specially crafted URL for a feed that causes the TwinCAT Package Manager to execute arbitrary operating system commands.

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, the user can bypass input validation by entering specially crafted inputs into the user interface for certain pages, which then allows local commands to be executed with administrative privileges.

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, the authentication mechanism for the web interface can be bypassed by any local user, regardless of their permissions, and they can act with administrative access rights via this mechanism.

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, a user can post specifically crafted input which then causes a buffer overflow on stack which in turn lets the process “MDPService” crash such that the web interface becomes unavailable until next restart or even execute code in the context of user “root”. 

By default, TwinCAT/BSD-based products have a device-specific web interface for web-based management (WBM) enabled, developed by Beckhoff and known as Beckhoff Device Manager UI. It can be accessed remotely or locally. When accessed locally, a user can post specifically crafted input which then lets the process “MDPWebServer” consume a maximum of CPU cycles and Random Access Memory (RAM).

With TwinCAT/BSD based products the HTTPS request to the Authelia login page accepts user-controlled input that specifies a link to an external site.

By tricking clients of the mentioned products into contacting malicious OPC UA servers and thereby acting as OPC UA clients, a crash of the component can be provoked.

Through specific nodes of the server configuration interface of the TwinCAT OPC UA Server administrators are able to remotely create and delete any files on the system which the server is running on, though this access should have been restricted to specific directories. In case that configuration interface is combined with not recommended settings to allow anonymous access via the TwinCAT OPC UA Server then this kind of file access is even possible for any unauthenticated user from remote.