Rockwell Automation Connected Components Workbench

Plan Patch8.6ICS-CERT ICSA-21-133-01May 13, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Connected Components Workbench versions 12.00.00 and prior contain multiple vulnerabilities including insecure deserialization (CWE-502), path traversal (CWE-22), and improper input validation (CWE-20) that could allow remote code execution, authentication bypass, or privilege escalation when opening untrusted project files (.ccwarc). Successful exploitation could allow an attacker to run arbitrary code on engineering workstations with the privileges of the logged-in user.

What this means

What could happen

An attacker could gain remote code execution on engineering workstations running Connected Components Workbench, allowing modification of PLC and motion controller configurations that control industrial processes. This could result in altered setpoints, unauthorized equipment operation, or complete loss of control over connected machinery.

Who's at risk

Industrial automation engineers and technicians at water utilities, power plants, and manufacturers who use Rockwell Automation PLCs and motion controllers. Primary concern is engineering workstations running Connected Components Workbench for programming and configuration of programmable logic controllers (PLCs) and coordinated motion controllers.

How it could be exploited

An attacker could craft a malicious .ccwarc project file and deliver it to an engineer via email or file sharing. When the engineer opens the file in Connected Components Workbench, the attacker's code executes with the privileges of the user running the application, allowing configuration changes to any connected PLCs or controllers.

Prerequisites

User must have Connected Components Workbench v12.00.00 or earlier installed
User must open a malicious .ccwarc project file
Connected to or able to reach networked PLCs or motion controllers

No authentication required to exploit (opens with trusted file)Local privilege required for code execution (workstation access)User interaction required (must open malicious file)High attack complexity mitigation (social engineering needed)Affects engineering/control systems configurationNo patch available (vendor recommends upgrade to new major version)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Connected Components Workbench: v12.00.00 and prior≤ 12.00.00v13.00.00 or later

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRun Connected Components Workbench as a standard user account, not as Administrator

HARDENINGDo not open .ccwarc files from untrusted sources; implement email filtering to block or flag suspicious project files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Connected Components Workbench to v13.00.00 or later

HARDENINGConduct user training on recognizing phishing and social engineering attacks targeting project files

CVEs (3)

CVE-2021-27475 CVE-2021-27471 CVE-2021-27473

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a4aaba1-1b99-42ff-bb85-637fe056890e