Rockwell Automation FactoryTalk View Site Edition (Update A)

Plan PatchCVSS 8.8ICS-CERT ICSA-24-226-06Aug 13, 2024

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk View Site Edition version 13.0 has a local privilege escalation vulnerability caused by overly permissive default Windows folder permissions on the HMI projects directory. Any user with local access to the HMI server can edit or replace project files in the default folder (C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects). When the HMI server loads or executes these files, the changes run with the elevated permissions of the account that executes the projects, allowing attackers to alter process logic, setpoints, or disable safety functions. The vulnerability is not remotely exploitable but affects organizations that do not restrict local access to HMI servers or have not hardened folder permissions.

What this means

What could happen

An attacker with local access to the HMI server could modify or replace FactoryTalk View projects by exploiting weak folder permissions, causing those changes to execute with elevated privileges and potentially alter production operations or compromise process logic.

Who's at risk

Water utilities and municipal electric utilities using Rockwell Automation FactoryTalk View Site Edition (version 13.0) for SCADA or HMI operations should assess this risk. Any organization running this HMI software to manage process control, alarms, or operator interfaces is affected if the default folder permissions have not been hardened.

How it could be exploited

An attacker with local access to the HMI server exploits overly permissive Windows folder permissions in the default HMI projects folder (C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects). The attacker edits or replaces project files; when the HMI server loads or executes these projects, the malicious changes run with elevated account privileges, affecting live operations.

Prerequisites

Local user account on the HMI server computer
Access to the default HMI projects folder path
Elevated privilege account that executes the HMI projects (already configured on the server)

requires local access (not remotely exploitable)affects HMI/SCADA systems that control operational processesno vendor patch available for version 13.0privilege escalation possible (local user can cause code execution as elevated account)default configuration is insecure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk View SE: 13.013.0No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRemove the INTERACTIVE group from the Windows security properties of the HMI projects folder (C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects)

HARDENINGAdd specific users or user groups to the folder and assign minimal necessary permissions (read-only for viewers, write for authorized administrators only)

Long-term hardening

0/3

HARDENINGRestrict local access to the HMI server computer to authorized engineering and maintenance personnel only

HARDENINGImplement network segmentation to isolate HMI servers from business networks and the internet

HARDENINGMonitor access and modifications to the HMI projects folder for unauthorized changes

CVEs (1)

CVE-2024-7513

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ece251ea-3bba-4410-aaed-38219c0719a8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.