License to Kill: Leveraging License Management to Attack ICS Networks

Claroty researchers have uncovered six critical vulnerabilities in Wibu-Systems’ CodeMeter third-party license management component, which could expose OT environments across numerous industries to exploits via phishing campaigns or direct attacks. Like Ripple20, these vulnerabilities serve as a poignant example of how third-party components can be a significant—yet often overlooked—point of weakness within OT environments.

Adversaries could leverage the discovered vulnerabilities to modify existing software licenses or inject malicious ones, causing devices and processes to crash. These flaws also include serious encryption issues, which could allow attackers to execute code remotely and move laterally on OT networks.

Authored by Sharon Brizinov and Tal Keren, this report offers an in-depth look at:

  • The process through which the Claroty Research Team discovered six critical vulnerabilities in Wibu-Systems’ CodeMeter
  • How these vulnerabilities can be exploited through two distinct attack vectors: via webpage or remote communications
  • The timeline of Claroty disclosing the vulnerabilities to Wibu-Systems and providing follow-up information, such as POCs, enabling the vendor to fix all issues ahead of the ICS-CERT advisory
  • Technical details for each of the discovered vulnerabilities
License to Kill - Leveraging License Management to Attach ICS Networks


For an in-depth look at each of the discovered vulnerabilities and the risks they present to OT environments, join Principle Vulnerability Researcher Sharon Brizinov for an on demand webinar and Q&A. View here.













alex-wong-l5Tzv1alcps-unsplash (1)

Biannual ICS Risk & Vulnerability Report - 1H 2020


Demo - The Claroty Platform



Solution Brief - The Claroty Platform