Rockwell Automation FactoryTalk EnergyMetrix Vulnerabilities

Act Now7.3ICS-CERT ICSA-16-173-03Mar 25, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk EnergyMetrix versions 2.10.00 and earlier contain SQL injection (CWE-89) and improper input validation (CWE-613) vulnerabilities. An unauthenticated remote attacker can send malformed HTTP requests to execute arbitrary SQL queries against the application database, allowing unauthorized data access or modification of energy records and operational parameters. The vendor has not released a patched version.

What this means

What could happen

An unauthenticated attacker with network access could view sensitive energy data or modify utility operating parameters through SQL injection and insecure request handling in the FactoryTalk EnergyMetrix application.

Who's at risk

Electric utilities, energy service providers, and facility managers using FactoryTalk EnergyMetrix for energy consumption monitoring and billing. This includes distribution operators, control room staff, and system administrators responsible for energy data integrity and utility billing accuracy.

How it could be exploited

An attacker on the network sends crafted HTTP requests containing SQL injection payloads to FactoryTalk EnergyMetrix. The application fails to properly validate input and sanitize SQL commands, allowing the attacker to execute arbitrary database queries to read energy consumption data, billing information, or alter operational setpoints.

Prerequisites

Network access to FactoryTalk EnergyMetrix HTTP/HTTPS port (typically 80 or 443)
No authentication required

Remotely exploitableNo authentication requiredLow complexityNo patch availableHigh EPSS score (21%)Affects utility operations

Exploitability

High exploit probability (EPSS 21.0%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk EnergyMetrix: <=2.10.00≤ 2.10.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate FactoryTalk EnergyMetrix on a protected network segment and restrict network access to only authorized users and systems using firewall rules

HARDENINGImplement input validation and web application firewall (WAF) rules to block SQL injection patterns targeting the application

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from FactoryTalk EnergyMetrix for suspicious SQL commands or unusual data access patterns

Long-term hardening

0/1

WORKAROUNDEvaluate migration to a patched or supported energy management system, as the vendor has not released a fix for FactoryTalk EnergyMetrix version 2.10.00 and earlier

CVEs (2)

CVE-2016-4531 CVE-2016-4522

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d006ca6-f6c3-4edb-ba99-0bb0f00a33e8