Rockwell Automation Modbus TCP AOI Server

Monitor5.3ICS-CERT ICSA-23-075-07Mar 31, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Modbus TCP Server AOI in Rockwell Automation versions 2.00 and 2.03 contains an information disclosure vulnerability. Successful exploitation allows an unauthorized user to read the Modbus TCP Server AOI configuration and data without authentication. The vulnerability has been resolved in AOI version 2.04.00 and later.

What this means

What could happen

An attacker could read sensitive Modbus TCP server configuration and data from your automation device, potentially exposing process parameters or device state that should not be accessible. This information disclosure does not directly alter operations but could enable further attacks.

Who's at risk

Manufacturing plants, water authorities, and utilities using Rockwell Automation CompactLogix or ControlLogix controllers with Modbus TCP Server AOI deployed to communicate with legacy equipment or third-party systems. Any facility relying on the Modbus TCP Server AOI for device integration should evaluate exposure.

How it could be exploited

An attacker with network access to your Modbus TCP port (typically 502) can send read requests to the Modbus TCP Server AOI and retrieve information without providing any credentials. No authentication is required and the attack is straightforward.

Prerequisites

Network access to the Modbus TCP Server AOI on port 502 or the configured port
Modbus TCP Server AOI version 2.00 or 2.03
AOI deployed on a Rockwell Automation controller that is reachable from the attacker's network

remotely exploitableno authentication requiredlow complexityinformation disclosureaffects automation visibility and configuration data

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Modbus TCP Server AOI:2.00 | 2.032.04.00

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to Modbus TCP port (default 502) using firewall rules—allow only authorized engineering workstations and HMI systems

WORKAROUNDDisable Modbus TCP Server AOI if it is not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Modbus TCP Server AOI to version 2.04.00 or later

Long-term hardening

0/1

HARDENINGSegment your automation network from the business network using firewalls or air-gapping

CVEs (1)

CVE-2023-0027

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4ae371cc-c7c2-4dc2-b807-4422aa6ad03a