OTPulse
FeedAboutContact

Rockwell Automation FactoryTalk View ME

Plan Patch7.3ICS-CERT ICSA-24-317-03Nov 12, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

FactoryTalk View ME v14.0 and earlier contains an input validation vulnerability (CWE-20) in handling HMI project macro files. When default folder privileges are applied, a low-privileged local user can modify project macros to execute arbitrary code with elevated privileges. This could allow privilege escalation and unauthorized control of HMI functions. Rockwell Automation has released a fix in v15.0; earlier versions require hardening of folder permissions as a compensating control.

What this means
What could happen
A local user with low-level access could escalate their privileges and run arbitrary code on the HMI workstation, potentially altering process data, operator displays, or causing unintended process changes.
Who's at risk
Operators and system administrators using Rockwell Automation FactoryTalk View ME (v14.0 and earlier) with default folder permissions are at risk. This affects manufacturing facilities, water utilities, and power systems that rely on FactoryTalk View ME for HMI operation and monitoring.
How it could be exploited
An attacker with a local user account on the FactoryTalk View ME workstation could modify HMI project macro files stored in the default folder to inject malicious code. When the operator or another user runs or tests the HMI application, the macro executes with higher privileges, giving the attacker elevated access to control system functions.
Prerequisites
  • Local user account on the workstation running FactoryTalk View ME
  • Default folder permissions unchanged (INTERACTIVE group not removed)
  • HMI project files in default folder location
  • User interaction required to trigger macro execution (opening or testing the project)
local access requiredlow complexitydefault credentials/configurationaffects HMI/operator interface
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk View ME, when using default folder privileges: <=v14.0≤ v14.015.0
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRemove the INTERACTIVE group from the HMI project folder security properties and assign permissions only to specific users or groups using least-privilege principle
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk View ME to version 15.0 or later
HARDENINGIsolate HMI workstations from business networks and the internet using network segmentation and firewalls
Long-term hardening
0/1
HARDENINGRestrict local user account creation and access to FactoryTalk View ME workstations; enforce strong password policies and account lockout controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b01ea2d7-4d65-4107-b46b-a8dce50b8496
Rockwell Automation FactoryTalk View ME | CVSS 7.3 - OTPulse