Security Bulletins


The OPC Foundation publishes security bulletins that affect software that it maintains or distributes. In many cases these bulletins will affect code that OPC vendors incorporate into their products. As a result, vendors will have to patch their products to address the vulnerabilities identified.


When an issue is reported, the OPC Foundation uses the Common Vulnerability Scoring System to rate vulnerability and requests a CVE number from MITRE. Vendors are encouraged to use the CVE number when they publish updates to their products so users can associate a product patch with a vulnerability reported by the OPC Foundation.

When vulnerabilities are reported they are first reviewed by the OPC UA Security WG to determine the best course of action. A notice is sent out to a SDK vendor mailing list that an issue has been reported that may require action on their part. SDK vendors receive advance notice because many OPC products are built with SDKs and addressing a vulnerability requires that the SDKs be updated first. Any OPC Foundation member that wishes to be informed before vulnerabilities are made public should send a request to join the UA Security WG.

After review, the Security WG will set a time line for making the vulnerability public. The time line will depend on the severity of the vulnerability and the time needed by SDK vendors to produce a patch for their products. When a vulnerability is made pubic it will appear on this page with details on where to find updated software. Any member of the public who wishes to receive notifications when new Security Bulletins are released to the public should join the OPC Security Bulletins Google Group.

When a vulnerability is made public, the OPC Foundation will notify MITRE.which means it will be made visible in their database. NIST will also automatically add the CVE to their database.

2017-07-31CVE-2017-12070Security Update for OPC UA .NET Sample Applications4.9 (medium)
2017-07-31CVE-2017-12069Security Update for the OPC UA .NET Sample Code8.2 (high)
2017-07-28CVE-2017-11672Security Update for Local Discovery Services (LDS)4.4 (medium)
2017-12-06CVE-2017-17443Security Update for Local Discovery Services (LDS)4.4 (medium)
2018-04-12CVE-2018-7559Security Update for the OPC UA Stacks5.3 (medium)
2018-09-12CVE-2018-12086Security Update for the OPC UA Stacks7.5 (high)
2018-09-12CVE-2018-12585Security Update for the OPC UA Java and .NET Stack8.2 (high)
2018-09-25CVE-2018-12087Security Update for the OPC UA Client Applications5.3 (medium)
2020-03-10CVE-2019-19135Security Update for the OPC UA .NET and Java Clients7.5 (high)
2020-04-15CVE-2020-8867Security Update for the OPC UA .NET Standard Stack7.5 (high)
2021-03-10CVE-2020-29457Security Update for the OPC UA .NET Standard Stack4.2 (medium)
2021-05-18CVE-2021-27432Security Update for the OPC UA .NET Standard Stack7.5 (high)
2021-05-18CVE-2021-27434Security Update for OPC UA Applications using .NET 4.5.1 or earlier7.2 (high)
2021-09-01CVE-2021-40142Security Update for Local Discovery Server (LDS)7.5 (high)