Rockwell Automation FactoryTalk AssetCentre

Act Now10ICS-CERT ICSA-21-091-01Apr 1, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk AssetCentre versions 10.00 and earlier contain multiple vulnerabilities (CWE-502 insecure deserialization, CWE-676 unsafe function use, CWE-78 OS command injection, CWE-89 SQL injection) that allow unauthenticated remote attackers to execute arbitrary commands, inject SQL, or achieve remote code execution. These vulnerabilities affect asset management and control system integration across manufacturing and utility operations. Rockwell Automation recommends upgrading to version 11 or later. Organizations unable to upgrade should implement IPsec and use built-in security features per QA46277.

What this means

What could happen

An unauthenticated attacker with network access to FactoryTalk AssetCentre could execute arbitrary commands or SQL injection attacks, potentially allowing them to modify or delete asset data, disrupt manufacturing operations, or gain control over connected industrial equipment.

Who's at risk

Manufacturing plants and utilities using FactoryTalk AssetCentre v10 or earlier for asset management and control system integration should prioritize this update. This affects any organization running Rockwell Automation FactoryTalk infrastructure for PLCs, drives, and networked industrial devices.

How it could be exploited

An attacker sends a specially crafted network request to the FactoryTalk AssetCentre service on port 443 or its configured port. The request exploits command injection, SQL injection, or deserialization flaws (CWE-502, CWE-78, CWE-89) without requiring authentication. If successful, the attacker executes arbitrary commands with the privileges of the AssetCentre service process, which typically runs with elevated permissions in the control system network.

Prerequisites

Network access to FactoryTalk AssetCentre service port (default 443)
No valid credentials required

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 10.0)arbitrary command executionSQL injectionno patch available for v10 and earlier

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk AssetCentre: v10.00 and earlier≤ 10.00v11 or later

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDIf upgrade cannot be performed immediately, enable built-in security features in FactoryTalk AssetCentre and follow guidance in QA46277

HARDENINGConfigure IPsec to restrict network access to FactoryTalk AssetCentre and limit client connections to authorized engineering workstations and servers only

HARDENINGReview and restrict network access to FactoryTalk AssetCentre port using firewall rules to only authorized hosts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk AssetCentre to version 11 or later

CVEs (9)

CVE-2021-27462 CVE-2021-27466 CVE-2021-27470 CVE-2021-27474 CVE-2021-27476 CVE-2021-27472 CVE-2021-27468 CVE-2021-27464 CVE-2021-27460

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/675d65a2-4190-44f2-be25-a5cf8aa619e7