Emerson DeltaV

Plan Patch8.1ICS-CERT ICSA-21-355-04Dec 21, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Emerson DeltaV Distributed Control System Controllers and Workstations contain privilege escalation and code execution vulnerabilities (CWE-306, CWE-427) affecting all versions. Successful exploitation could allow an attacker to achieve local privilege escalation or restart a controller, resulting in denial-of-service condition. Software patches are available through the Guardian Support Portal for DeltaV versions 13.3.1, 14.LTS, 14.FP1, 14.FP2, and R6.

What this means

What could happen

An attacker with local access to a DeltaV workstation or controller could escalate privileges and restart the device, causing temporary loss of control system visibility and process interruption. Controller restarts could disrupt water treatment processes, power generation, or other critical operations depending on how the DCS is configured.

Who's at risk

Water authorities and municipal electric utilities running Emerson DeltaV Distributed Control Systems are affected, including operators of water treatment plants, wastewater systems, and power generation facilities. Both engineering workstations and control system controllers are vulnerable across all versions. Any facility using DeltaV for SCADA or process automation should assess their exposure.

How it could be exploited

An attacker must gain local access to a DeltaV workstation or controller—either by physical proximity or through a prior compromise. Once local access is obtained, the attacker can exploit the privilege escalation vulnerability to gain higher-level permissions, then trigger a restart or execute commands that crash the controller. This requires interactive access and user action to complete exploitation.

Prerequisites

Local access to DeltaV controller or engineering workstation
Unprivileged user account on the target system
User interaction (UI:R - requires user to click or interact)

Affects all versions—no version is safeLow complexity to exploitImpacts critical control system (DCS)Can cause denial-of-service via controller restartAffects both controllers and workstations

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

DeltaV Distributed Control System Controllers and Workstations: All versionsAll versionsSee patch versions 13.3.1, 14.LTS, 14.FP1, 14.FP2, and R6 from Guardian Support Portal

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGRestrict local access to DeltaV engineering workstations to authorized personnel only; use physical security and access controls

HARDENINGIsolate DeltaV controllers and engineering workstations from the business network using network segmentation and firewalls

HARDENINGEnsure DeltaV systems are not accessible from the Internet; disable unnecessary remote access paths

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply vendor patch from Guardian Support Portal (Knowledge Base Article NK-2100-0497 DSN21008) for DeltaV versions 13.3.1, 14.LTS, 14.FP1, 14.FP2, and R6

Long-term hardening

0/2

HARDENINGIf remote access is required, use secure VPN solutions and keep VPN software updated to the latest version

HARDENINGReview DeltaV Security Manual (available in Guardian Support Portal) and apply recommended deployment and configuration practices

CVEs (2)

CVE-2021-26264 CVE-2021-44463

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/38a2f0e1-b7db-4324-931d-919ff4e7d66d