Critical vulnerabilities in VxWorks system

Filip Pokorný

Aug. 2, 2019

Security researchers have discovered almost a dozen zero-day vulnerabilities in VxWorks, one of the most widely used real-time operating systems (RTOS) for embedded devices that powers over 2 billion devices across aerospace, defense, industrial, medical, automotive, consumer electronics, networking, and other critical industries. Vulnerabilities are collectively dubbed as URGENT/11 as they are 11 in total, 6 of which are critical in severity. They reside in the IPnet TCP/IP networking stack of the RTOS that was included in VxWorks since its version 6.5, apparently leaving all versions of VxWorks released in the last 13 years vulnerable to device takeover attacks.