Emerson ROC800 Series RTU and DL8000 Preset Controller

Act Now9.4ICS-CERT ICSA-23-206-03Jul 25, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An authentication bypass vulnerability in Emerson ROC800 series RTUs and DL8000 preset controllers (CWE-305) allows an attacker with network access to send unauthorized control commands to the device without providing valid credentials or authentication tokens. Successful exploitation could result in denial-of-service or unauthorized modification of process parameters and control settings. The vulnerability affects all firmware versions of ROC809, ROC827, ROC809L, ROC827L, and DL8000 devices across all hardware revisions.

What this means

What could happen

An attacker with network access could bypass authentication controls on these RTUs and preset controllers, allowing them to send unauthorized commands to alter process setpoints, disable safety interlocks, or stop critical operations in water systems or electrical distribution networks.

Who's at risk

Water utilities and municipal electric providers operating Emerson ROC800 series RTUs (ROC809, ROC827, ROC809L, ROC827L) and DL8000 preset controllers should prioritize this issue. These devices are commonly used for remote supervisory control of treatment processes, pump stations, distribution networks, and electrical substations where unauthorized command injection could cause immediate operational impact.

How it could be exploited

An attacker sends specially crafted network packets to the device on the industrial network, bypassing the authentication mechanism that normally requires credentials or valid operation requests. Once authenticated, the attacker can read device configuration and send control commands directly to the RTU or controller without further validation.

Prerequisites

Network access to the device on ports used by ROC800/DL8000 protocols (typically Modbus TCP or proprietary Emerson protocols)
Device must be reachable from attacker's network position
No valid credentials or prior access required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for Series 1 hardwareAffects critical industrial control devicesAffects safety and process control systemsHigh CVSS (9.4)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (8)

5 with fix3 pending

ProductAffected VersionsFix Status

ROC809 Hardware series: *All versionsNo fix yet

ROC827 Hardware series: *All versionsNo fix yet

DL8000 Hardware series: *All versionsNo fix yet

ROC809 Firmware: *All versions3.91 or later (Series 2)

ROC827 Firmware: *All versions3.91 or later (Series 2)

ROC809L Firmware: *All versions1.71 or later (Series 2)

ROC827L Firmware: *All versions1.71 or later (Series 2)

DL8000 Firmware: *All versions2.60 or later (Series 2)

Remediation & Mitigation

0/8

Do now

0/3

HARDENINGVerify firmware authenticity by comparing MD5/SHA256 hashes against Emerson's published values before installation

HARDENINGImplement network segmentation to isolate RTU and controller devices behind firewalls, blocking direct access from business networks and Internet

HARDENINGIf remote access is required, enforce use of encrypted VPN connections with current security patches

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ROC800 Series 2 firmware to version 3.91 or later

HOTFIXUpdate ROC800L Series 2 firmware to version 1.71 or later

HOTFIXUpdate DL8000 Series 2 firmware to version 2.60 or later

HOTFIXFor ROC800 Series 1 and DL8000 Series 1 devices, upgrade hardware to Series 2 with patched firmware

Long-term hardening

0/1

HARDENINGReview and implement Emerson ROC800-Series Secure Gateway D301766X012 guidance per section 1.11 of the Instruction Manual

CVEs (1)

CVE-2023-1935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4ab0ce9f-0ee5-4a20-83f9-34b42c1c1bf3