Rockwell Automation Connected Components Workbench

Act Now9.6ICS-CERT ICSA-23-264-05Sep 21, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Connected Components Workbench versions prior to R21 contain heap corruption vulnerabilities (CWE-416, CWE-787) that can be triggered by opening a crafted HTML file. Successful exploitation allows an attacker to execute arbitrary code on the engineering workstation with the privileges of the logged-in user, potentially enabling unauthorized modification of control logic before deployment to PLCs and industrial equipment.

What this means

What could happen

An attacker could exploit heap corruption vulnerabilities in Connected Components Workbench to execute arbitrary code on engineering workstations, potentially allowing modification of PLC logic and process parameters before deployment to control systems.

Who's at risk

Engineering teams and automation technicians who use Rockwell Automation Connected Components Workbench to develop and deploy PLC logic and control logic for manufacturing, water treatment, power generation, and other industrial processes. Anyone running version R21 or earlier is at risk.

How it could be exploited

An attacker sends a crafted HTML file or link to an engineer. When the engineer opens it in Connected Components Workbench (versions before R21), the heap corruption vulnerability is triggered, allowing code execution on the workstation with the same privileges as the engineer.

Prerequisites

User must open a malicious HTML file or click a link in Connected Components Workbench
Affected version must be installed (R21 or earlier)
No special network access required—can be delivered via email or web

Actively exploited (KEV)No authentication requiredLow attack complexityRemotely exploitable via email or webVery high exploit probability (92.9% EPSS)No patch available for older versions

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Connected Components Workbench: < R21< R21R21 or later

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXUpdate Connected Components Workbench to R21 or later

WORKAROUNDDo not click web links or open HTML attachments from untrusted sources in Connected Components Workbench

Long-term hardening

0/2

HARDENINGIsolate engineering workstations from internet access and unsecured networks

HARDENINGUse VPN for any required remote access to engineering workstations

CVEs (5)

CVE-2020-16017 CVE-2022-0609 CVE-2020-16009 CVE-2020-16013 CVE-2020-15999

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dbc9a9c9-f475-4b72-aebe-05988bcc087e