Emerson ROC800 Series RTU and DL8000 Preset Controller
Plan PatchCVSS 9.4ICS-CERT ICSA-23-206-03Jul 25, 2023
Emerson
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An authentication bypass vulnerability in Emerson ROC800 series RTUs and DL8000 preset controllers (CWE-305) allows an attacker with network access to send unauthorized control commands to the device without providing valid credentials or authentication tokens. Successful exploitation could result in denial-of-service or unauthorized modification of process parameters and control settings. The vulnerability affects all firmware versions of ROC809, ROC827, ROC809L, ROC827L, and DL8000 devices across all hardware revisions.
What this means
What could happen
An attacker with network access could bypass authentication controls on these RTUs and preset controllers, allowing them to send unauthorized commands to alter process setpoints, disable safety interlocks, or stop critical operations in water systems or electrical distribution networks.
Who's at risk
Water utilities and municipal electric providers operating Emerson ROC800 series RTUs (ROC809, ROC827, ROC809L, ROC827L) and DL8000 preset controllers should prioritize this issue. These devices are commonly used for remote supervisory control of treatment processes, pump stations, distribution networks, and electrical substations where unauthorized command injection could cause immediate operational impact.
How it could be exploited
An attacker sends specially crafted network packets to the device on the industrial network, bypassing the authentication mechanism that normally requires credentials or valid operation requests. Once authenticated, the attacker can read device configuration and send control commands directly to the RTU or controller without further validation.
Prerequisites
- Network access to the device on ports used by ROC800/DL8000 protocols (typically Modbus TCP or proprietary Emerson protocols)
- Device must be reachable from attacker's network position
- No valid credentials or prior access required
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for Series 1 hardwareAffects critical industrial control devicesAffects safety and process control systemsHigh CVSS (9.4)
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (8)
5 with fix3 pending
ProductAffected VersionsFix Status
ROC809 Hardware series: *All versionsNo fix yet
ROC827 Hardware series: *All versionsNo fix yet
DL8000 Hardware series: *All versionsNo fix yet
ROC809 Firmware: *All versions3.91+ (Series 2)
ROC827 Firmware: *All versions3.91+ (Series 2)
ROC809L Firmware: *All versions1.71+ (Series 2)
ROC827L Firmware: *All versions1.71+ (Series 2)
DL8000 Firmware: *All versions2.60+ (Series 2)
Remediation & Mitigation
0/8
Do now
0/3HARDENINGVerify firmware authenticity by comparing MD5/SHA256 hashes against Emerson's published values before installation
HARDENINGImplement network segmentation to isolate RTU and controller devices behind firewalls, blocking direct access from business networks and Internet
HARDENINGIf remote access is required, enforce use of encrypted VPN connections with current security patches
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate ROC800 Series 2 firmware to version 3.91 or later
HOTFIXUpdate ROC800L Series 2 firmware to version 1.71 or later
HOTFIXUpdate DL8000 Series 2 firmware to version 2.60 or later
HOTFIXFor ROC800 Series 1 and DL8000 Series 1 devices, upgrade hardware to Series 2 with patched firmware
Long-term hardening
0/1HARDENINGReview and implement Emerson ROC800-Series Secure Gateway D301766X012 guidance per section 1.11 of the Instruction Manual
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4ab0ce9f-0ee5-4a20-83f9-34b42c1c1bf3Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.