CVE-2025-7390
Unknown · OPC.HTTPS Server
A vulnerability in the OPC.HTTPS server implementation allows malicious clients to bypass client certificate trust checks, even when configured for secure-only communication.
Executive summary
A critical authentication bypass in the OPC.HTTPS server allows unauthorized clients to establish secure connections, effectively negating certificate-based security controls.
Vulnerability
The software fails to properly validate the trust chain of client certificates during the handshake process. This allows an unauthenticated attacker to bypass security requirements and interact with the server as if they possessed a trusted certificate.
Business impact
This vulnerability undermines the fundamental security architecture of OPC.HTTPS deployments. With a CVSS score of 9.1, the risk includes unauthorized access to industrial control systems or sensitive process data, potentially leading to operational disruption or unauthorized command execution on critical infrastructure.
Remediation
Immediate Action: Identify all instances of OPC.HTTPS servers within the environment and apply patches provided by the relevant software vendor.
Proactive Monitoring: Monitor server logs for successful connections that should have been rejected due to invalid or untrusted client certificates.
Compensating Controls: Use network-level segmentation to limit communication with the OPC.HTTPS server to only known, authorized IP addresses and devices.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the potential for unauthorized access to sensitive operational technology, this vulnerability must be addressed urgently. Ensure that all OPC.HTTPS implementations are updated as soon as the vendor releases a fix, and verify that certificate validation is functioning as intended post-patch.