Rockwell Automation Stratix 5800 and Stratix 5200 (UPDATE A)

Act Now10ICS-CERT ICSA-23-297-01Oct 24, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A critical vulnerability in Rockwell Automation Stratix 5800 and 5200 switches running Cisco IOS XE Software with Web UI feature enabled allows unauthenticated remote attackers to execute arbitrary code and take full control of the device. The vulnerability exploits improper input validation in the web interface. Affected versions include all current versions of both models. No firmware patch is available from Rockwell Automation. The vulnerability is actively being exploited in the wild.

What this means

What could happen

An unauthenticated attacker on the network can gain complete control of the Stratix switch, potentially altering network configuration, intercepting traffic, or disrupting communications to downstream PLCs and devices that depend on this switch for connectivity.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Rockwell Automation Stratix 5800 or 5200 switches for industrial network connectivity. These switches connect PLCs, RTUs, and other control devices to facility networks and remote management systems.

How it could be exploited

An attacker sends a malicious HTTP request to the web UI of the Stratix 5800 or 5200 switch. The vulnerability allows code execution without requiring authentication. Once on the device, the attacker can execute arbitrary commands with administrative privileges.

Prerequisites

Network access to the HTTP or HTTPS port (80 or 443) on the Stratix switch
Stratix 5800 or 5200 with Web UI feature enabled
Device must be reachable from attacker's location (typically same network segment or via routing)

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)EPSS score 94% (very high)no patch availableaffects network infrastructure critical to plant operations

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Stratix 5800 (running Cisco IOS XE Software with the Web UI feature enabled): vers:all/*All versionsNo fix yet

Stratix 5200 (running Cisco IOS XE Software with the Web UI feature enabled): vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/4

WORKAROUNDDisable the HTTP Server feature using 'no ip http server' command in global configuration mode

WORKAROUNDDisable the HTTPS Server feature using 'no ip http secure-server' command in global configuration mode if not needed

HARDENINGImplement Access Control Lists to restrict access to the Web UI to only authorized IP addresses

HARDENINGIsolate Stratix switches from internet-facing networks and place behind firewalls

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic for indicators of compromise using provided Snort rules

Long-term hardening

0/1

HARDENINGSegment control system networks from business networks

CVEs (2)

CVE-2023-20198 CVE-2023-20273

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a9789d6e-5222-4c86-a84e-60fbb1e66e33