Rockwell Automation PowerMonitor 1000 Remote

Act Now9.8ICS-CERT ICSA-24-352-03Dec 17, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation PowerMonitor 1000 (PM1k) devices with firmware versions below 4.020 contain multiple vulnerabilities (CWE-420, CWE-122, CWE-120) that allow remote, unauthenticated attackers to perform edit operations, create administrative users, execute factory reset, run arbitrary code, or cause denial-of-service conditions. The vulnerability affects multiple PM1k models across 485 Modbus and Ethernet variants (BC3A, TS3A, EM3A, TR1A, TR2A, EM1A, EM2A).

What this means

What could happen

An attacker could remotely take control of your PowerMonitor 1000 devices without credentials, allowing them to modify meter settings, create backdoor accounts, execute arbitrary commands on the device, or disable it entirely. This could prevent billing data collection, affect demand response capabilities, or create visibility gaps in electrical distribution monitoring.

Who's at risk

This affects energy utilities and any organization operating Rockwell Automation PowerMonitor 1000 meters for electrical monitoring and billing. The vulnerability impacts all PM1k model variants (BC3A, TS3A, EM3A, TR1A, TR2A, EM1A, EM2A) running firmware below version 4.020, whether they use Modbus 485 or Ethernet connectivity. Critical for municipal electric utilities and large facilities with networked revenue or operational metering.

How it could be exploited

An attacker with network access to the PowerMonitor 1000's IP address and listening port can send specially crafted requests to exploit memory safety flaws or authorization logic flaws. The attacker gains code execution or administrative control without needing to provide valid credentials, and can then manipulate device configuration or operations.

Prerequisites

Network connectivity to PowerMonitor 1000 device IP address on its service port (typically 80 or 443 for Ethernet models)
No credentials required

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)No patch available (end-of-life or no planned fix)

Exploitability

Moderate exploit probability (EPSS 7.1%)

Affected products (14)

14 with fix

ProductAffected VersionsFix Status

PM1k 1408-TS3A-ENT: <4.020<4.0204.020

PM1k 1408-TR1A-ENT: <4.020<4.0204.020

PM1k 1408-BC3A-485: <4.020<4.0204.020

PM1k 1408-BC3A-ENT: <4.020<4.0204.020

PM1k 1408-TS3A-485: <4.020<4.0204.020

PM1k 1408-EM3A-485: <4.020<4.0204.020

PM1k 1408-EM3A-ENT: <4.020<4.0204.020

PM1k 1408-TR1A-485: <4.020<4.0204.020

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGIsolate PowerMonitor 1000 devices from direct internet access and restrict network access to authorized systems only

HARDENINGPlace PowerMonitor 1000 devices on a dedicated meter network segmented from business networks with firewall protection

WORKAROUNDIf remote access to PowerMonitor 1000 is required, use VPN with multi-factor authentication and keep VPN client software current

WORKAROUNDDisable remote access features on PowerMonitor 1000 devices if not actively needed

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PowerMonitor 1000 devices to firmware version 4.020 or later

HARDENINGMonitor PowerMonitor 1000 traffic for suspicious connection patterns or unauthorized configuration changes

CVEs (3)

CVE-2024-12371 CVE-2024-12372 CVE-2024-12373

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e39471d0-bc55-4748-9ed3-c04b30f84f90