OTPulse

Rockwell Automation 440G TLS-Z

MonitorCVSS 7ICS-CERT ICSA-25-084-03Mar 24, 2025
Rockwell Automation
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

A code injection vulnerability (CWE-74) exists in Rockwell Automation's 440G TLS-Z load tap changer controller affecting all versions of the third-party local code and device firmware v6.001. Successful exploitation allows an attacker to execute arbitrary code and take over the device. The vulnerability requires local physical access, valid user credentials, and involves high attack complexity. Rockwell Automation has not released patches and will not provide fixes for this end-of-life product. No public exploitation has been reported.

What this means
What could happen
An attacker with local physical access and valid credentials could execute arbitrary code on the 440G TLS-Z device, potentially taking complete control of the load tap changer controller and disrupting voltage regulation on power distribution equipment.
Who's at risk
Water and electric utilities that use Rockwell Automation 440G TLS-Z load tap changer controllers for automatic voltage regulation on distribution transformers. This affects any organization operating this specific controller model, which is commonly found in substations and switchyards managing medium-voltage distribution equipment.
How it could be exploited
An attacker must have physical access to the device and valid user credentials. They would exploit a code injection vulnerability (CWE-74) in the device's local processing logic to execute malicious commands that could alter tap changer operations or disable safety controls.
Prerequisites
  • Physical access to the 440G TLS-Z device
  • Valid user credentials for device login
  • Local execution context on the device or connected engineering workstation
No patch available (end-of-life product)Requires local physical access and valid credentialsHigh attack complexityAffects critical power distribution equipmentCould disrupt voltage regulation and protective functions
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Third-party Local CodeAll versionsNo fix (EOL)
440G TLS-Z: v6.001v6.001No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict physical access to the 440G TLS-Z device and associated control panels to authorized personnel only; implement badge readers, locked enclosures, or monitored access areas
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement credential management controls to limit which personnel have valid login credentials for the device; audit and revoke unnecessary accounts
HARDENINGMonitor and log all local access attempts and code execution on the 440G TLS-Z device; configure alerts for suspicious activity
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9f4dcddc-db36-4a4c-bc15-8ce7d5c84dda

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Rockwell Automation 440G TLS-Z | CVSS 7 - OTPulse