Published Date: February 15, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 9.0/10
The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
FactoryTalk® Service Platform |
<v2.74 |
Update to V2.74 or later |
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following security issues.
CVE-2024-21915 IMPACT
A privilege escalation security issue exists in FactoryTalk® Service Platform (FTSP). A threat actor with basic user group privileges could sign into the software and receive FTSP Administrator Group privileges. A threat actor could then read and modify sensitive data, delete data and render the FTSP system unavailable.
CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:CC:H/I:H/A:H
CWE: CWE-279: Incorrect Execution-Assigned Permissions
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Customers using the affected software that cannot upgrade to the corrected versions should use mitigations and security best practices
ADDITIONAL RESOURCES
- Patch: Incorrect user groups returned from FactoryTalk® Web Service, FactoryTalk® Services Platform 2.74
- JSON CVE-2024-21915
Glossary
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Privilege escalation: cyberattack technique where an attacker gains unauthorized access to higher-level privileges within a system, allowing them to perform actions that are typically restricted.
