Ripple20 Exploits: 19 Critical Vulnerabilities Threatening IoT/OT Devices Worldwide

Cybersecurity researchers from JSOF have released a comprehensive list of 19 critical vulnerabilities, collectively known as Ripple20, that target the Treck TCP/IP stack. This stack is embedded in millions of devices across healthcare, transportation, manufacturing, telecoms, and energy sectors, meaning the potential impact spans a vast array of critical infrastructures.

Ripple20 mirrors the 2019 Urgent/11 flaws that affected Interpeak’s TCP/IP stack. Like Urgent/11, the new issues enable remote code execution and denial‑of‑service (DoS) attacks. Major vendors—including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter—have already confirmed exposure to these weaknesses.

While Cisco’s industrial IoT portfolio, such as Cyber Vision and the ISA3000 appliance, is not affected by Ripple20, Cisco acknowledges that a subset of its products may be vulnerable. The company’s advisory—available here—provides detailed guidance. Cisco’s Cyber Vision, coupled with Talos‑generated Snort signatures, can detect and help remediate Ripple20 threats in your network.

Treck, founded in 1997, delivers optimized protocol stacks for real‑time embedded systems. The stack is distributed as source code, allowing vendors to cherry‑pick and tailor protocol layers to fit memory‑constrained IoT devices. This flexibility, however, can obscure the presence of Treck components in final products, complicating vulnerability identification, especially after corporate acquisitions.

Historically, Treck collaborated with the Japanese firm Elmic System (now Zuken Elmic), producing parallel TCP/IP stacks for the U.S. and Asian markets. Several Ripple20 vulnerabilities also affect the Zuken Elmic stack.

Act Now: Address Ripple20’s Highest‑Risk Flaws

Among the 19 issues, four are rated critical (CVSS >9). These pose the greatest threat, enabling attackers to execute arbitrary code, launch DoS attacks, or exfiltrate sensitive data. The most severe, CVE‑2020‑11901, can be triggered by a crafted DNS response to a device’s request, leading to remote code execution. Because DNS traffic typically exits the network, attackers can intercept it with relative ease, and the exploit packets comply with standard RFCs, making firewall detection challenging.

For a full list of vulnerabilities and technical details, visit the JSOF website here.

Detect Ripple20 in Your IoT/OT Environment

JSOF estimates that billions of devices may be affected, as many vendors embed portions of the Treck stack. The CISA Industrial Control Systems Cyber Emergency Response Team (ICS‑CERT) has published an evolving list of impacted vendors here. While vendor advisories continue to surface, proactive steps can help you identify and mitigate risks.

Cisco Cyber Vision automatically maps your industrial network, builds a detailed asset inventory, and highlights known vulnerabilities—including Ripple20. The knowledge base is regularly updated and is free for all Cyber Vision customers. We recommend downloading the latest version here if you haven’t already.

Given the nature of Ripple20 and the challenges of patching legacy devices, you should also consider complementary defensive measures.

Immediate Protective Actions

Deploy intrusion detection systems (IDS) that leverage Cisco Talos Snort rules to flag exploitation attempts. Cisco Cyber Vision can integrate these rules, while the ISA3000 appliance offers IDS plus real‑time blocking capabilities in a rugged, on‑site format.

The ISA3000 excels at network segmentation, isolating devices that should not communicate directly, thereby containing potential breaches.

JSOF recommends additional mitigations that can be enforced with the ISA3000, such as blocking IP fragmentation, IP‑in‑IP tunneling, malformed TCP packets, unused ICMP messages, and restricting DHCP or other unnecessary protocols.

For more information on safeguarding your industrial network, explore the IoT Security Hub or contact Cisco to discuss tailored solutions for your IoT/OT environment.