Rockwell Automation ISaGRAF Workbench

Plan Patch8.6ICS-CERT ICSA-22-202-03Jul 21, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

ISaGRAF Workbench versions 6.0 through 6.6.9 contain directory traversal and unsafe deserialization vulnerabilities (CWE-22, CWE-502) in file handling. Exploitation requires a user to open a malicious .7z exchange file, which could allow arbitrary code execution with the privileges of the logged-in user. No known public exploits exist. The vulnerabilities are not remotely exploitable.

What this means

What could happen

An attacker who tricks an operator into opening a malicious file could execute arbitrary code on the engineering workstation running ISaGRAF Workbench, potentially allowing them to modify PLC programs, alter control logic, or disrupt automation system configuration and deployment.

Who's at risk

Engineering personnel and automation technicians who use ISaGRAF Workbench to develop, configure, and deploy control logic for industrial automation systems. This tool is commonly used in water treatment, wastewater, power generation, and manufacturing environments where PLC and automation system engineering is performed.

How it could be exploited

An attacker crafts a malicious .7z file (ISaGRAF exchange format) and tricks an operator into opening it in ISaGRAF Workbench via phishing or social engineering. The vulnerability in file handling allows the attacker to traverse directories and execute code with the permissions of the logged-in user. If the workstation is running as administrator, the attacker gains full system control.

Prerequisites

User interaction required: operator must open a malicious .7z file in ISaGRAF Workbench
Attacker must be able to deliver the malicious file via email, file share, or other means
ISaGRAF Workbench version 6.0 through 6.6.9 must be installed

Directory traversal vulnerabilityPrivilege escalation possible if workstation runs as administratorUser interaction required (lowers immediate risk)Affects engineering workstations which control system configuration and deployment

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

ISaGRAF Workbench:≥ 6.0 | ≤ 6.6.96.6.10

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGRun ISaGRAF Workbench as a standard user instead of administrator to limit damage if code is executed

WORKAROUNDDo not open untrusted .7z exchange files with ISaGRAF Workbench

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ISaGRAF Workbench to version 6.6.10 or later

HARDENINGDeploy application allow-listing (such as Microsoft AppLocker) to restrict execution of unsigned or unauthorized applications

HARDENINGConduct user training on phishing and social engineering tactics to reduce the likelihood of users opening malicious files

Long-term hardening

0/2

HARDENINGEnsure workstation firewall rules restrict network access to ISaGRAF Workbench systems from untrusted networks

HARDENINGIsolate engineering workstations from business networks and the Internet

CVEs (3)

CVE-2022-2463 CVE-2022-2464 CVE-2022-2465

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f10aa673-64b7-43f4-9e16-1ce99197f383