Rockwell Automation FactoryTalk View Site

Plan PatchCVSS 9.8ICS-CERT ICSA-24-256-23Sep 12, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation FactoryTalk View Site Edition versions 12.0, 13.0, and 14.0 contain a vulnerability (CWE-77) that allows unauthenticated remote code execution. An attacker with network access can exploit this to run arbitrary commands on the FactoryTalk View Site server without authentication or user interaction. This is a critical vulnerability with a CVSS score of 9.8.

What this means

What could happen

An unauthenticated attacker with network access to FactoryTalk View Site could execute arbitrary commands on the server, allowing them to alter production data, modify HMI visualizations, stop operations, or pivot into your control network.

Who's at risk

Organizations running Rockwell Automation FactoryTalk View Site Edition as their primary HMI/SCADA interface for plant visualization and monitoring should prioritize this immediately. This affects all sites using versions 12.0, 13.0, or 14.0 of FactoryTalk View Site Edition for real-time monitoring and control of manufacturing, water treatment, electric utility distribution, or other industrial processes.

How it could be exploited

An attacker sends a specially crafted network request to an exposed FactoryTalk View Site server over the network. No credentials or user interaction is required. The server processes the request and executes arbitrary code with the privileges of the FactoryTalk process, which typically has broad access to plant data and control functions.

Prerequisites

Network access to FactoryTalk View Site server port (typically 80/443 HTTP/HTTPS)
FactoryTalk View Site Edition versions 12.0, 13.0, or 14.0 installed
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects control system visualization and command interfaceunauthenticated RCE on critical HMI server

Exploitability

Some exploitation risk — EPSS score 1.5%

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk View Site Edition: 12.0|13.0|14.012.0|13.0|14.0No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXApply Rockwell Automation patches for FactoryTalk View Site Edition from the official Rockwell Automation security page

WORKAROUNDRestrict network access to FactoryTalk View Site servers using firewall rules—only permit connections from engineering workstations and business network ranges that legitimately need access

WORKAROUNDIf internet connectivity is not required, block all external (WAN) traffic to FactoryTalk View Site servers

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate FactoryTalk View Site servers from internet-facing systems and from other control networks

HARDENINGDeploy intrusion detection or endpoint detection on the FactoryTalk server to monitor for exploitation attempts

CVEs (1)

CVE-2024-45824

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa175659-c1c3-4380-8d11-aeb782a9f48b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.