Rockwell Automation PowerMonitor 1000 Remote

Plan PatchCVSS 9.8ICS-CERT ICSA-24-352-03Dec 17, 2024

Rockwell AutomationEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation PowerMonitor 1000 devices in firmware versions below 4.020 contain multiple critical vulnerabilities (CWE-420, CWE-122, CWE-120) that allow remote attackers without authentication to perform edit operations, create administrative users, perform factory reset, execute arbitrary code, or cause denial-of-service conditions. Affected models include various TS3A, TR1A, TR2A, BC3A, EM1A, EM2A variants in both ENT and 485 network configurations.

What this means

What could happen

An attacker with network access could gain administrative control of PowerMonitor 1000 devices without needing credentials, allowing them to modify energy consumption data, disable monitoring, reset the device to defaults, or execute commands that could disrupt electrical grid monitoring and reporting. This directly impacts power distribution visibility and control.

Who's at risk

This affects utilities and energy companies operating Rockwell Automation PowerMonitor 1000 devices for electrical distribution monitoring and management. Any facility using these devices for power quality monitoring, demand management, or energy accounting is at risk if running firmware below version 4.020.

How it could be exploited

An attacker on your network or connected to the device's network interface (ENT or 485 serial) sends specially crafted unauthenticated requests to the PowerMonitor 1000. The device processes these requests due to improper input validation and weak authentication mechanisms, allowing the attacker to execute arbitrary code, modify settings, or create unauthorized admin accounts.

Prerequisites

Network access to the PowerMonitor 1000 device (via Ethernet or 485 serial connection)
No valid credentials required for exploitation

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects monitoring and control systemsmultiple code execution paths

Exploitability

Some exploitation risk — EPSS score 9.4%

Affected products (14)

14 with fix

ProductAffected VersionsFix Status

PM1k 1408-TS3A-ENT: <4.020<4.0204.020

PM1k 1408-TR1A-ENT: <4.020<4.0204.020

PM1k 1408-BC3A-485: <4.020<4.0204.020

PM1k 1408-BC3A-ENT: <4.020<4.0204.020

PM1k 1408-TS3A-485: <4.020<4.0204.020

PM1k 1408-EM3A-485: <4.020<4.0204.020

PM1k 1408-EM3A-ENT: <4.020<4.0204.020

PM1k 1408-TR1A-485: <4.020<4.0204.020

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to PowerMonitor 1000 devices—allow connections only from authorized monitoring stations and management systems; deny all internet-facing access

WORKAROUNDIf remote access is necessary, implement VPN connectivity for all management traffic to PowerMonitor 1000 devices

HARDENINGMonitor PowerMonitor 1000 devices for suspicious activity—unexpected administrative account creation, factory reset commands, or configuration changes

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all PowerMonitor 1000 devices to firmware version 4.020 or later

Long-term hardening

0/1

HARDENINGIsolate PowerMonitor 1000 devices on a separate network segment from business networks and IT systems

CVEs (3)

CVE-2024-12371 CVE-2024-12372 CVE-2024-12373

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e39471d0-bc55-4748-9ed3-c04b30f84f90

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.