Rockwell Automation FactoryTalk View SE

Act NowCVSS 9ICS-CERT ICSA-20-170-05Jun 18, 2020

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk View SE contains multiple vulnerabilities that allow authenticated attackers to manipulate data in the HMI application. CVE-2020-12029 and CVE-2020-12031 involve input validation and buffer overflow flaws (CWE-20, CWE-119). CVE-2020-12028 and CVE-2020-12027 involve improper access controls and information disclosure (CWE-285, CWE-200) that allow unauthorized data modification and viewing. An attacker with valid credentials or local system access to a FactoryTalk View SE workstation can exploit these flaws to alter process data, displays, and logs without authorization. Successful exploitation could affect operator situational awareness, production records, and system integrity.

What this means

What could happen

An authenticated attacker with local access to a FactoryTalk View SE workstation could manipulate data and process variables in the HMI, potentially altering operator displays, process setpoints, or production logs without authorization.

Who's at risk

Rockwell Automation FactoryTalk View SE operators and engineers should prioritize patching. This HMI software is critical for process monitoring and control in manufacturing, food and beverage, chemical processing, and utility automation environments. All versions are affected, making this a broad risk across sites using this widely deployed application.

How it could be exploited

An attacker with valid credentials on a FactoryTalk View SE workstation can use input validation flaws (CWE-20) and buffer overflow vulnerabilities (CWE-119) to modify data in memory or exploit weak access controls (CWE-285) to escalate privileges and manipulate application data. The attacker must have local or authenticated remote access to the affected workstation running FactoryTalk View SE.

Prerequisites

Valid FactoryTalk View SE user credentials or local system access
Access to a workstation running an affected version of FactoryTalk View SE
Ability to interact with the FactoryTalk View SE application interface or underlying system

High EPSS score (29.9%)Requires valid credentials but local/authenticated access onlyAffects data integrity and process visibilityAll versions vulnerableMultiple vulnerabilities (CWE-20, CWE-119, CWE-285, CWE-200)

Exploitability

Likely to be exploited — EPSS score 29.9%

Metasploit module available — weaponized exploitView module ↗

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk View SE: All versionsAll versionspatch rollup 1066644 (06 Apr 2020+) plus patches 1126289 and 1126290

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXApply patch 1126289 (with prerequisite rollup 1066644 dated 06 Apr 2020 or later) for CVE-2020-12029

HOTFIXApply patch 1126290 (with prerequisite rollup 1066644 dated 06 Apr 2020 or later) for CVE-2020-12031

HARDENINGEnable IPSec within FactoryTalk View SE per knowledge base article 109056 to protect data in transit for CVE-2020-12028

HARDENINGEnable HTTPS within FactoryTalk View SE per knowledge base article 1126943 to protect data in transit for CVE-2020-12027

HARDENINGRestrict local and remote access to FactoryTalk View SE workstations to authorized operators and engineers only

CVEs (4)

CVE-2020-12029 CVE-2020-12031 CVE-2020-12028 CVE-2020-12027

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1912f35f-aaaa-4e3c-b45e-4cbb95e037f3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.