OTPulse
FeedAboutContact

Rockwell Automation FactoryTalk View Site

Act Now9.8ICS-CERT ICSA-24-256-23Sep 12, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

FactoryTalk View Site Edition versions 12.0, 13.0, and 14.0 contain an unauthenticated remote code execution vulnerability via command injection (CWE-77). An attacker can send a malicious request to the web interface and execute arbitrary code on the FactoryTalk server without providing credentials. This could allow takeover of the HMI system and control of connected industrial devices.

What this means
What could happen
An attacker could run arbitrary commands on a FactoryTalk View Site server without logging in, potentially taking control of HMI systems, altering production parameters, or disrupting plant operations.
Who's at risk
Water utilities, electric utilities, chemical plants, and other process manufacturers using Rockwell Automation FactoryTalk View Site Edition as their HMI (human-machine interface) for monitoring and controlling PLCs and industrial devices. Version 12.0, 13.0, and 14.0 are affected.
How it could be exploited
An attacker on the network sends a specially crafted request to the FactoryTalk View Site server on port 80/443, exploiting a command injection flaw (CWE-77). No authentication is required. The attacker gains code execution with the privileges of the FactoryTalk service account.
Prerequisites
  • Network access to FactoryTalk View Site Edition server (port 80 or 443)
  • No authentication required
  • Affected version running (12.0, 13.0, or 14.0)
Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS (9.8)Affects HMI/human-machine interfaceCommand injection allows arbitrary code execution
Exploitability
Moderate exploit probability (EPSS 1.2%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk View Site Edition: 12.0|13.0|14.012.0|13.0|14.0No fix yet
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGIsolate FactoryTalk View Site servers behind a firewall; do not expose to the internet
WORKAROUNDIf remote access to FactoryTalk View Site is required, implement VPN with current security patches
WORKAROUNDRestrict network access to FactoryTalk View Site server to authorized engineering workstations only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Rockwell Automation security patches for FactoryTalk View Site Edition
Long-term hardening
0/1
HARDENINGSegregate FactoryTalk View Site network from business/office network using network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/aa175659-c1c3-4380-8d11-aeb782a9f48b