Loading

FactoryTalk® Service Platform Elevated Privileges Vulnerability Through Web Service Functionality

Severity:
Critical
Advisory ID:
SD1662
Data pubblicazione:
February 14, 2024
Ultimo aggiornamento:
December 04, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2024-21915
Download
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
Riepilogo
FactoryTalk® Service Platform Elevated Privileges Vulnerability Through Web Service Functionality

Published Date: February 15, 2024
Last updated:  August 5, 2025 
Revision Number: 1.0
CVSS Score: 9.0/10

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® Service Platform

             <v2.74

Update to V2.74 or later


SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following security issues.

CVE-2024-21915 IMPACT

A privilege escalation security issue exists in FactoryTalk® Service Platform (FTSP). A threat actor with basic user group privileges could sign into the software and receive FTSP Administrator Group privileges. A threat actor could then read and modify sensitive data, delete data and render the FTSP system unavailable.

CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:CC:H/I:H/A:H
CWE: CWE-279: Incorrect Execution-Assigned Permissions

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Mitigations and Workarounds

Customers using the affected software that cannot upgrade to the corrected versions should use mitigations and security best practices

  • Security Best Practices

ADDITIONAL RESOURCES

  • Patch: Incorrect user groups returned from FactoryTalk® Web Service, FactoryTalk® Services Platform 2.74
  • JSON CVE-2024-21915

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Privilege escalation: cyberattack technique where an attacker gains unauthorized access to higher-level privileges within a system, allowing them to perform actions that are typically restricted.

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Home Rockwell Automation Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Aggiorna le tue preferenze sui cookie per continuare.
Questa funzionalità richiede i cookie per migliorare la tua esperienza. Ti preghiamo di aggiornare le tue preferenze per consentire questi cookie:
  • Cookie dei social media
  • Cookie funzionali
  • Cookie di prestazione
  • Cookie di marketing
  • Tutti i cookie
Puoi aggiornare le tue preferenze in qualsiasi momento. Per ulteriori informazioni consultare il nostro {0} politica sulla riservatezza
CloseClose