← Back to all briefings

Infrastructure · Credibility 40/100 · · 6 min read

Infrastructure Briefing — Ripple20 TCP/IP flaws put embedded OT stacks at risk

Treck’s Ripple20 disclosure shows dozens of CVEs in widely embedded TCP/IP stacks that could enable remote code execution or data exposure across medical, industrial, and IoT deployments.

Executive briefing: CISA’s Ripple20 advisory warns that Treck’s embedded TCP/IP stack—also marketed as Kasago, Net+ OS, Kwiknet, and other OEM names—contains more than a dozen flaws. The alert stresses that “successful exploitation of these vulnerabilities may allow remote code execution or exposure of sensitive information,” making it critical for operators to inventory firmware that embeds Treck libraries and prioritize updates.

Immediate actions for plant and OT network owners

  • Identify Treck-derived TCP/IP implementations. Work with suppliers to confirm whether field devices, medical gear, or embedded gateways ship with Treck/Kasago/Net+ OS stacks; flag assets that cannot be patched for compensating controls.
  • Patch or replace affected firmware. Treck advises customers to “apply the latest version of the affected products” or obtain updated firmware from vendors; many OEMs have published Ripple20 security updates and hotfixes.
  • Harden network exposure. Until firmware is remediated, isolate at-risk nodes from the internet and corporate IT networks, restrict inbound traffic to required protocols, and enable deep packet inspection to spot malformed IPv4/IPv6, DHCP, DNS, or ARP traffic associated with CVE-2020-11896 through CVE-2020-11914.

Strategic follow-through

  • Vendor assurance. Require OEMs to attest to Treck dependency and provide patch availability dates; track remediation status across medical, manufacturing, and building automation fleets.
  • Change-management guardrails. Because several CVEs carry CVSS scores of 9.0–10.0, schedule maintenance windows for high-availability systems and validate rollback plans before deploying stack updates.
  • Detection engineering. Add network signatures that catch length-parameter inconsistencies in IPv4/IPv6 and malformed DHCP/DNS packets that Treck notes can trigger RCE or information disclosure.

Source excerpts

Primary — exploitation impact: “Successful exploitation of these vulnerabilities may allow remote code execution or exposure of sensitive information.”

CISA ICSA-20-168-01 (Treck TCP/IP Stack — Ripple20)

Primary — vendor guidance: “Treck recommends users apply the latest version of the affected products… Additional vendors affected by the reported vulnerabilities have also released security advisories.”

CISA ICSA-20-168-01 (Treck TCP/IP Stack — Ripple20)
  • Ripple20
  • Treck TCP/IP
  • ICS
Back to curated briefings