Rockwell Automation LP30/40/50 and BM40 Operator Interface

Plan Patch8.8ICS-CERT ICSA-24-030-07Jan 30, 2024

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation LP30, LP40, LP50, and BM40 Operator Panels use CODESYS runtime with multiple memory safety and input validation vulnerabilities. An authenticated attacker can send specially crafted communication requests to cause denial-of-service, memory corruption, or remote code execution on the operator interface device.

What this means

What could happen

An attacker with valid credentials could stop the operator panel from functioning (denying operators visibility and control), corrupt its memory, or run arbitrary code to manipulate process parameters or steal operational data. This affects all plant operations monitored and controlled through these panels.

Who's at risk

Water utilities, municipal electric departments, and any facility using Rockwell Automation LP30/LP40/LP50 or BM40 operator panels for SCADA/process visualization. These panels are common in pumping stations, water treatment, substations, and distributed control environments where they provide the human interface to critical processes.

How it could be exploited

An attacker with valid operator credentials sends malformed messages to the panel over the control network (AV:N/AC:L). The vulnerable CODESYS runtime processes these requests without proper bounds checking, allowing memory writes or instruction injection. No user interaction is required once the attacker has authenticated.

Prerequisites

Valid operator or engineering workstation credentials
Network access to the operator panel communication port (typically Ethernet/ModBus TCP or CODESYS IEC 61131-3 runtime port)
Knowledge of the panel's communication protocol

Remotely exploitable over networkRequires valid credentials (reduces but does not eliminate risk)Memory safety vulnerabilities (buffer overflow, out-of-bounds write)No patch available for this vulnerabilityHigh CVSS score (8.8)Affects process visibility and control systems

Exploitability

Moderate exploit probability (EPSS 4.4%)

Affected products (4)

3 with fix1 pending

ProductAffected VersionsFix Status

LP40 Operator Pane: <V3.5.19.0<V3.5.19.0No fix yet

LP50 Operator Panel: <V3.5.19.0<V3.5.19.03.5.19.2

BM40 Operator Panel: <V3.5.19.0<V3.5.19.03.5.19.2

LP30 Operator Panel: <V3.5.19.0<V3.5.19.03.5.19.2

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to operator panels to only authorized engineering workstations and SCADA servers using firewall rules and ACLs

HARDENINGRequire strong, unique credentials for all operator panel accounts and disable default credentials if present

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CODESYS runtime to version 3.5.19.2 or later on all affected operator panels

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate operator panels on a dedicated control network separate from business networks and the internet

HARDENINGMonitor operator panel network traffic for suspicious communication patterns or unauthorized access attempts

CVEs (15)

CVE-2022-47378 CVE-2022-47379 CVE-2022-47380 CVE-2022-47381 CVE-2022-47382 CVE-2022-47383 CVE-2022-47384 CVE-2022-47386 CVE-2022-47387 CVE-2022-47388 CVE-2022-47389 CVE-2022-47390 CVE-2022-47385 CVE-2022-47392 CVE-2022-47393

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0783be23-8e16-4f6c-b67b-02ff76ec0005