Rockwell Automation RSLogix 5 and RSLogix 500

Monitor7.7ICS-CERT ICSA-24-263-01Sep 19, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

This vulnerability affects RSLogix 5, RSLogix 500, and RSLogix Micro Developer and Starter—engineering software used to develop and modify PLC ladder logic. A malicious VBA macro embedded in a project file can execute arbitrary code when the file is opened if VBA is enabled. The vulnerability requires local access to an engineering workstation and social engineering to trick a user into opening a malicious project file. High attack complexity and the need for user interaction limit the risk, but successful exploitation could allow an attacker to modify control logic, steal process data, or insert backdoors into PLCs.

What this means

What could happen

An attacker with local access to a workstation running RSLogix 5 or RSLogix 500 could embed malicious VBA code in project files that executes when a user opens the file, potentially allowing the attacker to run arbitrary commands with the privileges of the user and compromise control logic or steal sensitive process information.

Who's at risk

Plant engineers and controls personnel at water utilities, electric utilities, and other industrial sites using Rockwell Automation RSLogix 5 or RSLogix 500 to develop and maintain programmable logic controller (PLC) logic are affected. This impacts any organization that uses these engineering tools to configure CompactLogix, MicroLogix, SLC 500, or ControlLogix PLCs.

How it could be exploited

An attacker creates a malicious RSLogix project file containing embedded VBA code and tricks or socially engineers a plant engineer into opening it on a workstation where RSLogix is installed. When the file is opened and VBA execution is enabled (the default), the embedded code runs automatically with the privileges of the engineer opening the file.

Prerequisites

Local access to a workstation running RSLogix 5, RSLogix 500, or RSLogix Micro Developer and Starter
VBA execution must be enabled in FactoryTalk Administration Console (default state)
User must open a malicious project file—typically requires social engineering or supply chain compromise

No patch availableLocal attack vector requiredHigh attack complexityUser interaction required (file must be opened)Affects engineering tools used to control critical infrastructure

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

RSLogix 5: vers:all/*All versionsNo fix (EOL)

RSLogix 500: vers:all/*All versionsNo fix (EOL)

RSLogix Micro Developer and Starter: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDeny VBA execution in FactoryTalk Administration Console by navigating to Policies, selecting Enable/Disable VBA, and checking the Deny box

HARDENINGStore project files in a Trusted location where only administrators can modify them and verify file integrity before opening

HARDENINGEducate plant engineers not to open unsolicited or untrusted RSLogix project files and to verify file sources before opening

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGEnable VBA editor protection by setting a password to lock VBA code from viewing and editing

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: RSLogix 5: vers:all/*, RSLogix 500: vers:all/*, RSLogix Micro Developer and Starter: vers:all/*. Apply the following compensating controls:

HARDENINGIsolate RSLogix engineering workstations from the internet and business networks using network segmentation and firewalls

CVEs (1)

CVE-2024-7847

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/94e7175a-24b1-4c09-891b-0227640300a8