When major vulnerabilities show up in ubiquitous operating systems like Microsoft Windows, they can be weaponized and exploited, the fallout potentially impacting millions of devices. Today, researchers from the enterprise security firm Armis are detailing just such a group of vulnerabilities in a popular operating system that runs on more than 2 billion devices worldwide. But unlike Windows, iOS, or Android, this OS is one you've likely never heard of. It's called VxWorks.

VxWorks is designed as a secure, "real-time" operating system for continuously functioning devices, like medical equipment, elevator controllers, or satellite modems. That makes it a popular choice for Internet of Things and industrial control products. But Armis researchers found a cluster of 11 vulnerabilities in the platform's networking protocols, six of which could conceivably give an attacker remote device access, and allow a worm to spread the malware to other VxWorks devices around the world. Roughly 200 million devices appear to be vulnerable; the bugs have been present in most versions of VxWorks going back to version 6.5, released in 2006.

Think of how the WannaCry ransomware used the Eternal Blue Windows vulnerability to spread across networks and around the world. It's like that, but with firewalls, industrial equipment, and medical devices instead of Windows machines. The result could be anything from device malfunctions to full system takedowns.

VxWorks developer Wind River is in the process of distributing patches for the bugs. But the Armis researchers, who first disclosed their findings to Wind River in March, say that the patching process will be long and difficult, as is often the case with IoT and critical infrastructure updates. The researchers will present their findings at the Black Hat security conference in Las Vegas next week.

"Finding a vulnerability in the network layer means it would affect any device that is using this operating system and that has networking capabilities," says Ben Seri, vice president of research at Armis. "It’s like the holy grail of vulnerability research finding something in that layer."

The vulnerabilities, collectively dubbed Urgent/11, are surprising in two ways. First, their presence in the operating system's network protocols—the "TCP/IP stack," which help devices connect to networks like the internet—is unusual. Researchers and hackers discovered a number of bugs and worms in these protocol implementations in the 1990s, but since then the security of this foundational component has been largely standardized industry-wide. Second, it is relatively rare in general to find security vulnerabilities, particularly critical ones, in VxWorks. And while the vulnerabilities have a very broad reach, both Armis and Wind River emphasized to WIRED that they are not present in the latest version of VxWorks or Wind River's "certification" versions, like VxWorks 653 and VxWorks Cert Edition. This means that critical infrastructure settings like nuclear power plants are not vulnerable.

"Not all vulnerabilities apply to all impacted versions. To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild," Wind River said in a statement. "Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices. Organizations deploying devices with VxWorks should patch impacted devices immediately."

"You can’t just shut down a product line and do these updates." Michael Parker, Armis

Wind River has been working with customers to distribute the patch for almost two months now. But the nature of VxWorks devices—they typically run continuously, and often depend on customized software that requires a tailored patching process—makes it challenging to implement a fix.

“VxWorks is used so pervasively that there’s going to be a very long tail of patching,” says Michael Parker, Armis’ chief marketing officer. “It’s things like firewalls or robotic arms, or think about patient monitors and medical equipment. They have to basically create a whole new operating system and get FDA approval. You can’t just shut down a product line and do these updates.”