Rockwell Automation FactoryTalk View Site Edition (Update A)
Plan Patch8.8ICS-CERT ICSA-24-226-06Aug 13, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
FactoryTalk View Site Edition version 13.0 has a local privilege escalation vulnerability caused by overly permissive default Windows folder permissions on the HMI projects directory. Any user with local access to the HMI server can edit or replace project files in the default folder (C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects). When the HMI server loads or executes these files, the changes run with the elevated permissions of the account that executes the projects, allowing attackers to alter process logic, setpoints, or disable safety functions. The vulnerability is not remotely exploitable but affects organizations that do not restrict local access to HMI servers or have not hardened folder permissions.
What this means
What could happen
An attacker with local access to the HMI server could modify or replace FactoryTalk View projects by exploiting weak folder permissions, causing those changes to execute with elevated privileges and potentially alter production operations or compromise process logic.
Who's at risk
Water utilities and municipal electric utilities using Rockwell Automation FactoryTalk View Site Edition (version 13.0) for SCADA or HMI operations should assess this risk. Any organization running this HMI software to manage process control, alarms, or operator interfaces is affected if the default folder permissions have not been hardened.
How it could be exploited
An attacker with local access to the HMI server exploits overly permissive Windows folder permissions in the default HMI projects folder (C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects). The attacker edits or replaces project files; when the HMI server loads or executes these projects, the malicious changes run with elevated account privileges, affecting live operations.
Prerequisites
- Local user account on the HMI server computer
- Access to the default HMI projects folder path
- Elevated privilege account that executes the HMI projects (already configured on the server)
requires local access (not remotely exploitable)affects HMI/SCADA systems that control operational processesno vendor patch available for version 13.0privilege escalation possible (local user can cause code execution as elevated account)default configuration is insecure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk View SE: 13.013.0No fix yet
Remediation & Mitigation
0/5
Do now
0/2HARDENINGRemove the INTERACTIVE group from the Windows security properties of the HMI projects folder (C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects)
HARDENINGAdd specific users or user groups to the folder and assign minimal necessary permissions (read-only for viewers, write for authorized administrators only)
Long-term hardening
0/3HARDENINGRestrict local access to the HMI server computer to authorized engineering and maintenance personnel only
HARDENINGImplement network segmentation to isolate HMI servers from business networks and the internet
HARDENINGMonitor access and modifications to the HMI projects folder for unauthorized changes
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/ece251ea-3bba-4410-aaed-38219c0719a8