CVE-2020-8867
Description
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated remote attacker can cause a denial-of-service in OPC UA .NET Standard due to missing locking in session handling.
Vulnerability
Analysis
CVE-2020-8867 is a denial-of-service vulnerability in the OPC Foundation UA .NET Standard, specifically in version 1.04.358.30. The flaw resides in the way the software handles sessions. The root cause is a race condition due to the lack of proper locking when performing operations on an object, leading to undefined behavior when concurrent requests are processed [1][3].
Attack
Vector
An attacker can exploit this vulnerability remotely without any authentication. By sending crafted requests that trigger the race condition during session creation or management, the attacker can cause the application to crash or become unresponsive. No special privileges or user interaction are required [1][3].
Impact
Successful exploitation results in a denial-of-service condition, rendering the OPC UA server unavailable. This can disrupt industrial control systems or other critical infrastructure that relies on the OPC UA protocol for machine-to-machine communication [1][3].
Mitigation
The vulnerability has been patched in version 1.4.359.31, released shortly after disclosure. Users are strongly advised to update to this or a later version. The issue was discovered through the Zero Day Initiative (ZDI-20-536) and has no known workarounds [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OPCFoundation.NetStandard.Opc.UaNuGet | < 1.4.359.31 | 1.4.359.31 |
Affected products
2- OPC Foundation/UA .NET Standardv5Range: 1.04.358.30
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-9q94-v7ch-mxqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8867ghsaADVISORY
- github.com/OPCFoundation/UA-.NETStandard/releases/tag/1.4.359.31ghsaWEB
- opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2020-8867.pdfghsax_refsource_MISCWEB
- www.zerodayinitiative.com/advisories/ZDI-20-536ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-20-536/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.