Rockwell Automation FactoryTalk View SE

Plan Patch8.8ICS-CERT ICSA-20-177-03Jun 25, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk View SE versions 10 and earlier contain improper credential handling and data storage vulnerabilities in the DeskLock feature. These vulnerabilities allow an attacker with local access to read protected configuration data and bypass authentication mechanisms that control access to engineering parameters and process setpoints. The vulnerabilities are not remotely exploitable and no known public exploits currently exist.

What this means

What could happen

An attacker with local access to a FactoryTalk View SE server could read sensitive engineering data, modify system configurations, or disrupt control system operations by exploiting improper data handling and weak credential storage.

Who's at risk

Water and electric utilities operating Rockwell Automation FactoryTalk View SE SCADA/HMI systems, particularly those running version 10 or earlier. This affects engineering workstations and operator servers that use FactoryTalk's DeskLock feature for credential management and system access control.

How it could be exploited

An attacker must gain local access to the FactoryTalk View SE server (e.g., via physical access, compromised user account, or lateral movement from another system). Once local, they can exploit the DeskLock credential storage vulnerability to access encrypted data or bypass authentication controls that protect engineering configurations and operational parameters.

Prerequisites

Local access to the FactoryTalk View SE server
User-level or higher privileges on the server operating system
DeskLock service running on the affected version

Local access required onlyLow attack complexityNo patch available for version 10Affects authentication and data protection mechanisms

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

FactoryTalk View SE:10No fix yet

FactoryTalk View SE:≤ 9.0No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict physical and logical access to FactoryTalk View SE servers; limit local account logins to authorized engineering and administration personnel

HARDENINGIsolate FactoryTalk View SE servers from the business network and the Internet using firewalls and network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk View SE to version 10.0 or later if available for your system

Long-term hardening

0/2

HARDENINGImplement host-based access controls (e.g., Windows Group Policy, AppLocker) to restrict execution of unexpected applications on FactoryTalk View SE servers

HARDENINGMonitor and audit local login activity and credential use on FactoryTalk View SE servers to detect compromise

CVEs (2)

CVE-2020-14480 CVE-2020-14481

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8c6d77ef-e4c9-4067-b5be-ccd9bacd497a