OTPulse

Rockwell Automation FactoryTalk View ME

Plan PatchCVSS 7.3ICS-CERT ICSA-24-317-03Nov 12, 2024
Rockwell Automation
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

FactoryTalk View ME v14.0 and earlier uses overly permissive default folder privileges for HMI project files. A low-privileged local user can modify macro code in these files and escalate privileges when the macro executes, potentially running arbitrary code with higher privileges. This affects machines using default folder security settings.

What this means
What could happen
A low-privileged user on a Windows machine running FactoryTalk View ME could escalate privileges and run arbitrary code by modifying HMI macros, potentially altering process setpoints, stopping production, or causing equipment damage.
Who's at risk
Water utilities and electric utilities operating human-machine interface (HMI) systems using FactoryTalk View ME on Windows machines need to address this vulnerability. Affected sites include those managing SCADA workstations, operator stations, or engineering computers running FactoryTalk View ME v14.0 or earlier with default folder permissions.
How it could be exploited
An attacker with local access to a Windows machine running FactoryTalk View ME v14.0 or earlier exploits overly permissive default folder permissions (INTERACTIVE group access). The attacker modifies macro code in the HMI project files and escalates their privileges when the macro executes with higher privileges.
Prerequisites
  • Local user account on the Windows machine hosting FactoryTalk View ME v14.0 or earlier
  • Default folder permissions unchanged (INTERACTIVE group with write access to HMI project folder)
  • Ability to modify HMI project files in the shared folder
local access requiredlow complexityprivilege escalationdefault credentials/permissionsaffects HMI/control system interface
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk View ME, when using default folder privileges: <=v14.0≤ v14.015.0
Remediation & Mitigation
0/3
Do now
0/2
WORKAROUNDRemove the INTERACTIVE group from the HMI project folder security properties
HARDENINGAssign read and write permissions only to specific users or user groups required for HMI administration, following least privileges principle
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk View ME to version 15.0 or later
View full CISA ICS-CERT advisory
API: /api/v1/advisories/b01ea2d7-4d65-4107-b46b-a8dce50b8496

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Rockwell Automation FactoryTalk View ME | CVSS 7.3 - OTPulse