Rockwell Automation PowerMonitor 1000

Plan Patch8.8ICS-CERT ICSA-23-194-05Jul 13, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Rockwell Automation PowerMonitor 1000 V4.011 contains a vulnerability that could allow remote code execution (CWE-79 cross-site scripting). Successful exploitation could result in complete loss of confidentiality, integrity, and availability of the product.

What this means

What could happen

An attacker could execute arbitrary code on the PowerMonitor 1000, potentially allowing them to modify power monitoring data, alter alarms, disable alerts, or disrupt visibility into electrical system operations at your facility.

Who's at risk

Energy utilities and facilities operating Rockwell Automation PowerMonitor 1000 devices for electrical system monitoring and analysis. This includes power distribution supervisors, electrical operators, and facility maintenance teams who access the device for monitoring and diagnostics.

How it could be exploited

An attacker sends a malicious web request containing injected code to the PowerMonitor 1000's web interface. If a user with access to the device clicks a malicious link or is redirected to the device with the payload, the code executes in their browser context with the permissions of the logged-in user, potentially allowing the attacker to run commands on the underlying system.

Prerequisites

Network access to the PowerMonitor 1000 web interface (port 80/443 or configured HTTP port)
User interaction required: an authenticated user must visit a page containing the malicious payload or click a crafted link

Remotely exploitableHigh CVSS score (8.8)User interaction required for exploitationNo public exploits available yet

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

PowerMonitor 1000: V4.011V4.011V4.019

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to the PowerMonitor 1000 web interface; ensure the device is not accessible from the Internet or untrusted networks

HARDENINGIsolate the PowerMonitor 1000 behind a firewall and on a dedicated OT network segment separate from business networks and the Internet

WORKAROUNDIf remote access to the PowerMonitor 1000 is required, use a VPN with strong authentication and keep VPN software updated to the latest version

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PowerMonitor 1000 to firmware version V4.019 or later

CVEs (1)

CVE-2023-2072

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8cf278f0-f49b-4f6c-81ed-a1e29ab05338