MidnightBSD

Advisories for rockwellautomation

CVE-2010-2965 HIGH

The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,

Products Affected

Vendor Product Version
rockwellautomation 1756-enbt/a_firmware 3.2.6
rockwellautomation 1756-enbt/a_firmware 3.6.1
windriver vxworks *
CVE-2010-5305 HIGH

The potential exists for exposure of the product's password used to restrict unauthorized access to Rockwell PLC5/SLC5/0x/RSLogix 1785-Lx and 1747-L5x controllers. The potential exists for an unauthorized programming and configuration client to gain access to the product and allow changes to the product’s configuration or program. When applicable, upgrade product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation's FactoryTalk Security services.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,CWE-284,

Products Affected

Vendor Product Version
rockwellautomation rslogix *
rockwellautomation plc5_1785-lx_firmware -
rockwellautomation slc5/01_1747-l5x_firmware -
CVE-2011-2530 HIGH

Buffer overflow in RSEds.dll in RSHWare.exe in the EDS Hardware Installation Tool 1.0.5.1 and earlier in Rockwell Automation RSLinx Classic before 2.58 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed .eds file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation eds_hardware_installation_tool *
rockwellautomation rslinx *
CVE-2011-2957 MEDIUM

Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_diagnostics_viewer 2.10.01
rockwellautomation factorytalk_diagnostics_viewer *
rockwellautomation factorytalk_diagnostics_viewer 2.10
CVE-2011-3489 MEDIUM

RnaUtility.dll in RsvcHost.exe 2.30.0.23 in Rockwell RSLogix 19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted rna packet with a long string to TCP port 4446 that triggers (1) "a memset zero overflow" or (2) an out-of-bounds read, related to improper handling of a 32-bit size field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation rslogix *
CVE-2012-0221 MEDIUM

The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Allen-Bradley FactoryTalk CPR9 through SR5 and RSLogix 5000 17 through 20 does not properly handle the return value from an unspecified function, which allows remote attackers to cause a denial of service (service outage) via a crafted packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rockwellautomation rslogix_5000 17
rockwellautomation rslogix_5000 18
rockwellautomation factorytalk cpr9
rockwellautomation factorytalk cpr9_sr5
rockwellautomation rslogix_5000 20
rockwellautomation rslogix_5000 19
CVE-2012-0222 MEDIUM

The FactoryTalk (FT) RNADiagReceiver service in Rockwell Automation Allen-Bradley FactoryTalk CPR9 through SR5 and RSLogix 5000 17 through 20 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation rslogix_5000 17
rockwellautomation rslogix_5000 18
rockwellautomation factorytalk cpr9
rockwellautomation factorytalk cpr9_sr5
rockwellautomation rslogix_5000 20
rockwellautomation rslogix_5000 19
CVE-2012-6435 HIGH

When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the CPU to stop logic execution and enter a fault state, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,CWE-399,

Products Affected

Vendor Product Version
rockwellautomation 1768-enbt -
rockwellautomation guardlogix_controllers *
rockwellautomation flexlogix_1788-enbt_adapter -
rockwellautomation micrologix *
rockwellautomation compactlogix_l35e_controller -
rockwellautomation 1756-enbt -
rockwellautomation guardlogix *
rockwellautomation softlogix *
rockwellautomation 1768-eweb -
rockwellautomation compactlogix *
rockwellautomation controllogix_controllers *
rockwellautomation softlogix_controllers *
rockwellautomation compactlogix_controllers *
rockwellautomation compactlogix_l32e_controller -
rockwellautomation 1756-eweb -
rockwellautomation 1794-aentr_flex_i/o_ethernet/ip_adapter -
rockwellautomation controllogix *
CVE-2012-6436 HIGH

The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the CPU to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
rockwellautomation 1768-enbt -
rockwellautomation guardlogix_controllers *
rockwellautomation flexlogix_1788-enbt_adapter -
rockwellautomation micrologix *
rockwellautomation compactlogix_l35e_controller -
rockwellautomation 1756-enbt -
rockwellautomation guardlogix *
rockwellautomation softlogix *
rockwellautomation 1768-eweb -
rockwellautomation compactlogix *
rockwellautomation controllogix_controllers *
rockwellautomation softlogix_controllers *
rockwellautomation compactlogix_controllers *
rockwellautomation compactlogix_l32e_controller -
rockwellautomation 1756-eweb -
rockwellautomation 1794-aentr_flex_i/o_ethernet/ip_adapter -
rockwellautomation controllogix *
CVE-2012-6437 HIGH

The device does not properly authenticate users and the potential exists for a remote user to upload a new firmware image to the Ethernet card, whether it is a corrupt or legitimate firmware image. Successful exploitation of this vulnerability could cause loss of availability, integrity, and confidentiality and a disruption in communications with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
rockwellautomation 1768-enbt -
rockwellautomation guardlogix_controllers *
rockwellautomation flexlogix_1788-enbt_adapter -
rockwellautomation micrologix *
rockwellautomation compactlogix_l35e_controller -
rockwellautomation 1756-enbt -
rockwellautomation guardlogix *
rockwellautomation softlogix *
rockwellautomation 1768-eweb -
rockwellautomation compactlogix *
rockwellautomation controllogix_controllers *
rockwellautomation softlogix_controllers *
rockwellautomation compactlogix_controllers *
rockwellautomation compactlogix_l32e_controller -
rockwellautomation 1756-eweb -
rockwellautomation 1794-aentr_flex_i/o_ethernet/ip_adapter -
rockwellautomation controllogix *
CVE-2012-6438 HIGH

The device does not properly validate the data being sent to the buffer. An attacker can send a malformed CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP, which creates a buffer overflow and causes the NIC to crash. Successful exploitation of this vulnerability could cause loss of availability and a disruption in communications with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
rockwellautomation 1768-enbt -
rockwellautomation guardlogix_controllers *
rockwellautomation flexlogix_1788-enbt_adapter -
rockwellautomation micrologix *
rockwellautomation compactlogix_l35e_controller -
rockwellautomation 1756-enbt -
rockwellautomation guardlogix *
rockwellautomation softlogix *
rockwellautomation 1768-eweb -
rockwellautomation compactlogix *
rockwellautomation controllogix_controllers *
rockwellautomation softlogix_controllers *
rockwellautomation compactlogix_controllers *
rockwellautomation compactlogix_l32e_controller -
rockwellautomation 1756-eweb -
rockwellautomation 1794-aentr_flex_i/o_ethernet/ip_adapter -
rockwellautomation controllogix *
CVE-2012-6439 HIGH

When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that changes the product’s configuration and network parameters, a DoS condition can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.  Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation 1768-enbt -
rockwellautomation guardlogix_controllers *
rockwellautomation flexlogix_1788-enbt_adapter -
rockwellautomation micrologix *
rockwellautomation compactlogix_l35e_controller -
rockwellautomation 1756-enbt -
rockwellautomation guardlogix *
rockwellautomation softlogix *
rockwellautomation 1768-eweb -
rockwellautomation compactlogix *
rockwellautomation controllogix_controllers *
rockwellautomation softlogix_controllers *
rockwellautomation compactlogix_controllers *
rockwellautomation compactlogix_l32e_controller -
rockwellautomation 1756-eweb -
rockwellautomation 1794-aentr_flex_i/o_ethernet/ip_adapter -
rockwellautomation controllogix *
CVE-2012-6440 HIGH

The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
rockwellautomation 1768-enbt -
rockwellautomation guardlogix_controllers *
rockwellautomation flexlogix_1788-enbt_adapter -
rockwellautomation micrologix *
rockwellautomation compactlogix_l35e_controller -
rockwellautomation 1756-enbt -
rockwellautomation guardlogix *
rockwellautomation softlogix *
rockwellautomation 1768-eweb -
rockwellautomation compactlogix *
rockwellautomation controllogix_controllers *
rockwellautomation softlogix_controllers *
rockwellautomation compactlogix_controllers *
rockwellautomation compactlogix_l32e_controller -
rockwellautomation 1756-eweb -
rockwellautomation 1794-aentr_flex_i/o_ethernet/ip_adapter -
rockwellautomation controllogix *
CVE-2012-6441 MEDIUM

An information exposure of confidential information results when the device receives a specially crafted CIP packet to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP. Successful exploitation of this vulnerability could cause loss of confidentiality. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
rockwellautomation 1768-enbt -
rockwellautomation guardlogix_controllers *
rockwellautomation flexlogix_1788-enbt_adapter -
rockwellautomation micrologix *
rockwellautomation compactlogix_l35e_controller -
rockwellautomation 1756-enbt -
rockwellautomation guardlogix *
rockwellautomation softlogix *
rockwellautomation 1768-eweb -
rockwellautomation compactlogix *
rockwellautomation controllogix_controllers *
rockwellautomation softlogix_controllers *
rockwellautomation compactlogix_controllers *
rockwellautomation compactlogix_l32e_controller -
rockwellautomation 1756-eweb -
rockwellautomation 1794-aentr_flex_i/o_ethernet/ip_adapter -
rockwellautomation controllogix *
CVE-2012-6442 HIGH

When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices. Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,CWE-119,

Products Affected

Vendor Product Version
rockwellautomation softlogix_controllers_firmware 19
rockwellautomation guardlogix_firmware 18
rockwellautomation flexlogix_firmware -
rockwellautomation controllogix_controllers_firmware 20
rockwellautomation ethernet/ip_firmware -
rockwellautomation controllogix_firmware 18
rockwellautomation softlogix_firmware 18
rockwellautomation guardlogix_controllers_firmware 20
rockwellautomation compactlogix_firmware 18
rockwellautomation compactlogix_firmware -
rockwellautomation micrologix_firmware -
rockwellautomation compactlogix_controllers_firmware 19
rockwellautomation flex_i/o_ethernet/ip__firmware -
CVE-2013-2805 HIGH

Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it receives a datagram with an incorrect value in the “Record Data Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to an oversized value, an attacker could cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot. The patches and details pertaining to this vulnerability can be found at the following Rockwell Automation Security Advisory link (login is required): https://rockwellautomation.custhelp.com/app/answers/detail/a_id/537599

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
rockwellautomation rslinx_enterprise 5.20.00
rockwellautomation rslinx_enterprise 5.21.00
rockwellautomation rslinx_enterprise 5.50.00
rockwellautomation rslinx_enterprise 5.10.01
rockwellautomation rslinx_enterprise 5.60.00
rockwellautomation rslinx_enterprise 5.51.00
rockwellautomation rslinx_enterprise 5.40.00
rockwellautomation rslinx_enterprise 5.10.00
rockwellautomation rslinx_enterprise 5.30.00
CVE-2013-2806 HIGH

Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an incorrect value for the “End of Current Record” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size.” Then the service will calculate an incorrect value for the “End of Current Record” field causing access violations that lead to a service crash. The service can be recovered with a manual reboot. The patches and details pertaining to these vulnerabilities can be found at the following Rockwell Automation security advisory link (login is required): https://rockwellautomation.custhelp.com/app/answers/detail/a_id/537599

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
rockwellautomation rslinx_enterprise 5.20.00
rockwellautomation rslinx_enterprise 5.21.00
rockwellautomation rslinx_enterprise 5.50.00
rockwellautomation rslinx_enterprise 5.10.01
rockwellautomation rslinx_enterprise 5.60.00
rockwellautomation rslinx_enterprise 5.51.00
rockwellautomation rslinx_enterprise 5.40.00
rockwellautomation rslinx_enterprise 5.10.00
rockwellautomation rslinx_enterprise 5.30.00
CVE-2013-2807 HIGH

Rockwell Automation RSLinx Enterprise Software (LogReceiver.exe) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 does not handle input correctly and results in a logic error if it calculates an incorrect value for the “Total Record Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size” that will cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot. The patches and details pertaining to these vulnerabilities can be found at the following Rockwell Automation Security Advisory link (login is required): https://rockwellautomation.custhelp.com/app/answers/detail/a_id/537599

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-125,

Products Affected

Vendor Product Version
rockwellautomation rslinx_enterprise 5.20.00
rockwellautomation rslinx_enterprise 5.21.00
rockwellautomation rslinx_enterprise 5.50.00
rockwellautomation rslinx_enterprise 5.10.01
rockwellautomation rslinx_enterprise 5.60.00
rockwellautomation rslinx_enterprise 5.51.00
rockwellautomation rslinx_enterprise 5.40.00
rockwellautomation rslinx_enterprise 5.10.00
rockwellautomation rslinx_enterprise 5.30.00
CVE-2014-0755 MEDIUM

Rockwell Automation RSLogix 5000 7 through 20.01, and 21.0, does not properly implement password protection for .ACD files (aka project files), which allows local users to obtain sensitive information or modify data via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,CWE-255,

Products Affected

Vendor Product Version
rockwellautomation rslogix_5000_design_and_configuration_software 21.0
rockwellautomation rslogix_5000_design_and_configuration_software 20.01
rockwellautomation rslogix_5000_design_and_configuration_software 18.0
rockwellautomation rslogix_5000_design_and_configuration_software 7.0
CVE-2014-5410 HIGH

The DNP3 feature on Rockwell Automation Allen-Bradley MicroLogix 1400 1766-Lxxxxx A FRN controllers 7 and earlier and 1400 1766-Lxxxxx B FRN controllers before 15.001 allows remote attackers to cause a denial of service (process disruption) via malformed packets over (1) an Ethernet network or (2) a serial line.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-399,

Products Affected

Vendor Product Version
rockwellautomation ab_micrologix_controller 1400
CVE-2014-5424 HIGH

Rockwell Automation Connected Components Workbench (CCW) before 7.00.00 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an invalid property value to an ActiveX control that was built with an outdated compiler.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
rockwellautomation connected_components_workbench *
CVE-2014-9204 MEDIUM

Stack-based buffer overflow in OPCTest.exe in Rockwell Automation RSLinx Classic before 3.73.00 allows remote attackers to execute arbitrary code via a crafted CSV file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation rslinx *
CVE-2014-9209 MEDIUM

Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view_studio *
rockwellautomation factorytalk_services_platform *
CVE-2015-1010 MEDIUM

Rockwell Automation RSView32 7.60.00 (aka CPR9 SR4) and earlier does not properly encrypt credentials, which allows local users to obtain sensitive information by reading a file and conducting a decryption attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
rockwellautomation rsview32 *
CVE-2015-6486 MEDIUM

SQL injection vulnerability on Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices before B FRN 15.003 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware *
rockwellautomation micrologix_1400_firmware *
CVE-2015-6488 MEDIUM

Cross-site scripting (XSS) vulnerability in the web server on Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices before B FRN 15.003 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware *
rockwellautomation micrologix_1400_firmware *
CVE-2015-6490 HIGH

Stack-based buffer overflow on Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices through B FRN 15.003 allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware *
rockwellautomation micrologix_1400_firmware *
CVE-2015-6491 MEDIUM

Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices before B FRN 15.003 allow remote authenticated users to insert the content of an arbitrary file into a FRAME element via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware *
rockwellautomation micrologix_1400_firmware *
CVE-2015-6492 HIGH

Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices before B FRN 15.003 allow remote attackers to cause a denial of service (memory corruption and device crash) via a crafted HTTP request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware *
rockwellautomation micrologix_1400_firmware *
CVE-2016-0868 HIGH

Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15.000 and B before 15.002 allows remote attackers to execute arbitrary code via a crafted web request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation 1763-l16awa_series_a 15.000
rockwellautomation 1763-l16bbb_series_a 15.000
rockwellautomation 1763-l16bwa_series_a 15.000
rockwellautomation 1763-l16awa_series_b 15.000
rockwellautomation 1763-l16dwd_series_b 15.000
rockwellautomation 1763-l16bbb_series_b 15.000
rockwellautomation 1763-l16bwa_series_b 15.000
rockwellautomation 1763-l16dwd_series_a 15.000
CVE-2016-2277 MEDIUM

IAB.exe in Rockwell Automation Integrated Architecture Builder (IAB) before 9.6.0.8 and 9.7.x before 9.7.0.2 allows remote attackers to execute arbitrary code via a crafted project file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
rockwellautomation integrated_architecture_builder *
rockwellautomation integrated_architecture_builder 9.7.0.0
rockwellautomation integrated_architecture_builder 9.7.0.1
CVE-2016-2279 MEDIUM

Cross-site scripting (XSS) vulnerability in the web server in Rockwell Automation Allen-Bradley CompactLogix 1769-L* before 28.011+ allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rockwellautomation compactlogix_1769-l23e-qbfc1b_firmware *
rockwellautomation compactlogix_1769-l33er_firmware *
rockwellautomation compactlogix_1756-en2f_series_a_firmware *
rockwellautomation compactlogix_1769-l30erm_firmware *
rockwellautomation compactlogix_1756-en2f_series_b_firmware *
rockwellautomation compactlogix_1756-en2tr_series_b_firmware *
rockwellautomation compactlogix_1756-en2t_series_b_firmware *
rockwellautomation compactlogix_1769-l24er-qb1b_firmware *
rockwellautomation compactlogix_1769-l27erm-qbfc1b_firmware *
rockwellautomation compactlogix_1769-l30er_firmware *
rockwellautomation compactlogix_1769-l18er-bb1b_firmware *
rockwellautomation compactlogix_1756-en2t_series_a_firmware *
rockwellautomation compactlogix_1769-l24er-qbfc1b_firmware *
rockwellautomation compactlogix_1756-en2t_series_c_firmware *
rockwellautomation compactlogix_1769-l23e-qb1b_firmware *
rockwellautomation compactlogix_1769-l30er-nse_firmware *
rockwellautomation compactlogix_1769-l33erm_firmware *
rockwellautomation compactlogix_1769-l18erm-bb1b_firmware *
rockwellautomation compactlogix_1769-l16er-bb1b_firmware *
rockwellautomation compactlogix_1756-en2tr_series_a_firmware *
rockwellautomation compactlogix_1769-l36erm_firmware *
rockwellautomation compactlogix_1756-en2t_series_d_firmware *
rockwellautomation compactlogix_1756-en3tr_series_a_firmware *
CVE-2016-4522 HIGH

SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_energrymetrix *
CVE-2016-4531 HIGH

Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 does not invalidate credentials upon a logout action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-285,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_energrymetrix *
CVE-2016-5645 HIGH

Rockwell Automation MicroLogix 1400 PLC 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, and 1766-L32BXBA devices have a hardcoded SNMP community, which makes it easier for remote attackers to load arbitrary firmware updates by leveraging knowledge of this community.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32bwaa -
rockwellautomation 1766-l32bxb -
rockwellautomation 1766-l32awa -
rockwellautomation 1766-l32bxba -
rockwellautomation 1766-l32bwa -
rockwellautomation 1766-l32awaa -
CVE-2016-5814 HIGH

Buffer overflow in Rockwell Automation RSLogix Micro Starter Lite, RSLogix Micro Developer, RSLogix 500 Starter Edition, RSLogix 500 Standard Edition, and RSLogix 500 Professional Edition allows remote attackers to execute arbitrary code via a crafted RSS project file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
rockwellautomation rslogix_500_starter_edition -
rockwellautomation rslogix_500_standard_edition -
rockwellautomation rslogix_micro_developer -
rockwellautomation rslogix_micro_starter_lite -
rockwellautomation rslogix_500_professional_edition -
CVE-2016-9334 MEDIUM

An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. User credentials are sent to the web server in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32awaa_series_a *
rockwellautomation 1766-l32awaa_series_b *
rockwellautomation 1766-l32bxb_series_a *
rockwellautomation 1766-l32bwaa_series_b *
rockwellautomation 1766-l32bxba_series_a *
rockwellautomation 1766-l32bwa_series_b *
rockwellautomation 1763-l16dwd_series_b *
rockwellautomation 1763-l16bwa_series_a *
rockwellautomation 1763-l16bwa_series_b *
rockwellautomation 1763-l16bbb_series_a *
rockwellautomation 1763-l16bbb_series_b *
rockwellautomation 1766-l32awa_series_a *
rockwellautomation 1766-l32bxb_series_b *
rockwellautomation 1766-l32bwaa_series_a *
rockwellautomation 1766-l32bxba_series_b *
rockwellautomation 1763-l16awa_series_a *
rockwellautomation 1763-l16awa_series_b *
rockwellautomation 1766-l32awa_series_b *
rockwellautomation 1766-l32bwa_series_a *
rockwellautomation 1763-l16dwd_series_a *
CVE-2016-9338 MEDIUM

An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. Because of an Incorrect Permission Assignment for Critical Resource, users with administrator privileges may be able to remove all administrative users requiring a factory reset to restore ancillary web server function. Exploitation of this vulnerability will still allow the affected device to function in its capacity as a controller.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32awaa_series_a *
rockwellautomation 1766-l32awaa_series_b *
rockwellautomation 1766-l32bxb_series_a *
rockwellautomation 1766-l32bwaa_series_b *
rockwellautomation 1766-l32bxba_series_a *
rockwellautomation 1766-l32bwa_series_b *
rockwellautomation 1763-l16dwd_series_b *
rockwellautomation 1763-l16bwa_series_a *
rockwellautomation 1763-l16bwa_series_b *
rockwellautomation 1763-l16bbb_series_a *
rockwellautomation 1763-l16bbb_series_b *
rockwellautomation 1766-l32awa_series_a *
rockwellautomation 1766-l32bxb_series_b *
rockwellautomation 1766-l32bwaa_series_a *
rockwellautomation 1766-l32bxba_series_b *
rockwellautomation 1763-l16awa_series_a *
rockwellautomation 1763-l16awa_series_b *
rockwellautomation 1766-l32awa_series_b *
rockwellautomation 1766-l32bwa_series_a *
rockwellautomation 1763-l16dwd_series_a *
CVE-2016-9343 HIGH

An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
rockwellautomation 1769_compactlogix_l23x_controller_firmware 16.00
rockwellautomation controllogix_5570_redundant_controller_firmware 20.00
rockwellautomation controllogix_5570_controller_firmware 19.00
rockwellautomation controllogix_5570_controller_firmware 20.010
rockwellautomation 1768_compact_guardlogix_l4xs_controller_firmware 20.013
rockwellautomation 1768_compactlogix_l4x_controller_firmware 19.00
rockwellautomation 1768_compact_guardlogix_l4xs_controller_firmware 20.00
rockwellautomation softlogix_5800_controller_firmware 21.00
rockwellautomation controllogix_5570_controller_firmware 20.013
rockwellautomation controllogix_5560_controller_firmware 18.00
rockwellautomation softlogix_5800_controller_firmware 19.00
rockwellautomation 1768_compact_guardlogix_l4xs_controller_firmware 18.00
rockwellautomation softlogix_5800_controller_firmware 18.00
rockwellautomation controllogix_5570_redundant_controller_firmware 21.00
rockwellautomation 1769_compactlogix_l23x_controller_firmware 20.00
rockwellautomation 1769_compactlogix_5370_l3_controller_firmware 20.00
rockwellautomation 1769_compactlogix_5370_l2_controller_firmware 20.00
rockwellautomation controllogix_5560_controller_firmware 20.010
rockwellautomation controllogix_5560_controller_firmware 20.00
rockwellautomation rslogix_emulate_5000_firmware 19.00
rockwellautomation controllogix_l55_controller_firmware 16.00
rockwellautomation controllogix_l55_controller_firmware 16.022
rockwellautomation controllogix_5560_controller_firmware 20.013
rockwellautomation controllogix_5560_controller_firmware 17.00
rockwellautomation 1769_compactlogix_l3x_controller_firmware 20.00
rockwellautomation 1768_compact_guardlogix_l4xs_controller_firmware 20.011
rockwellautomation controllogix_5560_redundant_controller_firmware 20.00
rockwellautomation controllogix_5560_redundant_controller_firmware 20.055
rockwellautomation controllogix_l55_controller_firmware 16.020
rockwellautomation guardlogix_5570_controller_firmware 20.017
rockwellautomation 1769_compactlogix_l23x_controller_firmware 17.00
rockwellautomation controllogix_5560_redundant_controller_firmware 19.00
rockwellautomation 1769_compactlogix_5370_l1_controller_firmware 21.00
rockwellautomation 1769_compactlogix_l3x_controller_firmware 16.020
rockwellautomation 1769_compactlogix_5370_l2_controller_firmware 20.013
rockwellautomation 1768_compactlogix_l4x_controller_firmware 16.025
rockwellautomation guardlogix_5570_controller_firmware 18.00
rockwellautomation 1769_compactlogix_5370_l1_controller_firmware 20.00
rockwellautomation controllogix_5570_redundant_controller_firmware 20.055
rockwellautomation 1768_compactlogix_l4x_controller_firmware 17.00
rockwellautomation controllogix_5560_redundant_controller_firmware 20.050
rockwellautomation controllogix_5570_controller_firmware 18.00
rockwellautomation 1769_compactlogix_5370_l1_controller_firmware 20.013
rockwellautomation controllogix_5560_redundant_controller_firmware 16.00
rockwellautomation 1768_compactlogix_l4x_controller_firmware 16.00
rockwellautomation rslogix_emulate_5000_firmware 21.00
rockwellautomation guardlogix_5570_controller_firmware 17.00
rockwellautomation guardlogix_5570_controller_firmware 21.00
rockwellautomation 1768_compactlogix_l4x_controller_firmware 20.016
rockwellautomation guardlogix_5570_controller_firmware 16.00
rockwellautomation controllogix_5570_controller_firmware 21.00
rockwellautomation 1769_compactlogix_l3x_controller_firmware 18.00
rockwellautomation flexlogix_l34_controller_firmware 16.00
rockwellautomation 1768_compactlogix_l4x_controller_firmware 18.00
rockwellautomation rslogix_emulate_5000_firmware 18.00
rockwellautomation controllogix_5560_controller_firmware 19.00
rockwellautomation 1769_compactlogix_l23x_controller_firmware 20.013
rockwellautomation 1769_compactlogix_5370_l2_controller_firmware 21.00
rockwellautomation controllogix_5560_controller_firmware 16.022
rockwellautomation 1769_compactlogix_l3x_controller_firmware 16.023
rockwellautomation 1769_compactlogix_l3x_controller_firmware 20.010
rockwellautomation 1768_compactlogix_l4x_controller_firmware 20.00
rockwellautomation 1769_compactlogix_l3x_controller_firmware 19.00
rockwellautomation guardlogix_5570_controller_firmware 19.00
rockwellautomation 1769_compactlogix_5370_l3_controller_firmware 21.00
rockwellautomation controllogix_5560_controller_firmware 16.00
rockwellautomation 1769_compactlogix_5370_l2_controller_firmware 20.010
rockwellautomation 1768_compactlogix_l4x_controller_firmware 20.011
rockwellautomation guardlogix_5570_controller_firmware 20.00
rockwellautomation 1769_compactlogix_l3x_controller_firmware 17.00
rockwellautomation 1769_compactlogix_l3x_controller_firmware 20.013
rockwellautomation 1769_compactlogix_l23x_controller_firmware 20.010
rockwellautomation 1768_compactlogix_l4x_controller_firmware 16.020
rockwellautomation 1769_compactlogix_5370_l1_controller_firmware 20.010
rockwellautomation controllogix_5560_controller_firmware 16.020
rockwellautomation 1769_compactlogix_l23x_controller_firmware 19.00
rockwellautomation controllogix_5570_redundant_controller_firmware 20.050
rockwellautomation 1769_compactlogix_5370_l3_controller_firmware 20.010
rockwellautomation softlogix_5800_controller_firmware 20.00
rockwellautomation 1769_compactlogix_l3x_controller_firmware 16.00
rockwellautomation guardlogix_5570_controller_firmware 20.010
rockwellautomation 1769_compactlogix_l23x_controller_firmware 18.00
rockwellautomation 1769_compactlogix_5370_l3_controller_firmware 20.013
rockwellautomation 1768_compact_guardlogix_l4xs_controller_firmware 19.00
rockwellautomation rslogix_emulate_5000_firmware 20.00
CVE-2017-12088 HIGH

An exploitable denial of service vulnerability exists in the Ethernet functionality of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted packet can cause a device power cycle resulting in a fault state and deletion of ladder logic. An attacker can send one unauthenticated packet to trigger this vulnerability

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-12089 HIGH

An exploitable denial of service vulnerability exists in the program download functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a device fault resulting in halted operations. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-12090 HIGH

An exploitable denial of service vulnerability exists in the processing of snmp-set commands of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted snmp-set request, when sent without associated firmware flashing snmp-set commands, can cause a device power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-12092 MEDIUM

An exploitable file write vulnerability exists in the memory module functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a file write resulting in a new program being written to the memory module. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-12093 MEDIUM

An exploitable insufficient resource pool vulnerability exists in the session communication functionality of Allen Bradley Micrologix 1400 Series B Firmware 21.2 and before. A specially crafted stream of packets can cause a flood of the session resource pool resulting in legitimate connections to the PLC being disconnected. An attacker can send unauthenticated packets to trigger this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14022 MEDIUM

An Improper Input Validation issue was discovered in Rockwell Automation FactoryTalk Alarms and Events, Version 2.90 and earlier. An unauthenticated attacker with remote access to a network with FactoryTalk Alarms and Events can send a specially crafted set of packets packet to Port 403/TCP (the history archiver service), causing the service to either stall or terminate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_alarms_and_events *
CVE-2017-14462 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG (also RUN for some) Description: Allows an attacker to enable SNMP, Modbus, DNP, and any other features in the channel configuration. Also allows attackers to change network parameters, such as IP address, name server, and domain name.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14463 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Associated Fault Code: 0012 Fault Type: Non-User Description: A fault state can be triggered by overwriting the ladder logic data file (type 0x22 number 0x02) with null values.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14464 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability.Required Keyswitch State: REMOTE or PROG Associated Fault Code: 0001 Fault Type: Non-User Description: A fault state can be triggered by setting the NVRAM/memory module user program mismatch bit (S2:9) when a memory module is NOT installed.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14465 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE Description: Any input or output can be forced, causing unpredictable activity from the PLC.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14466 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Description: The filetype 0x03 allows users write access, allowing the ability to overwrite the Master Password value stored in the file.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14467 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE Description: Live rung edits are able to be made by an unauthenticated user allowing for addition, deletion, or modification of existing ladder logic. Additionally, faults and cpu state modification can be triggered if specific ladder logic is used.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14468 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Description: This ability is leveraged in a larger exploit to flash custom firmware.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14469 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Associated Fault Code: 0028 Fault Type: Non-User Description: Values 0x01 and 0x02 are invalid values for the user fault routine. By writing directly to the file it is possible to set these values. When this is done and the device is moved into a run state, a fault is triggered. NOTE: This is not possible through RSLogix.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14470 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG or RUN Description: The value 0xffffffff is considered NaN for the Float data type. When a float is set to this value and used in the PLC, a fault is triggered. NOTE: This is not possible through RSLogix.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14471 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: REMOTE or PROG Associated Fault Codes: 0023, 002e, and 0037 Fault Type: Recoverable Description: The STI, EII, and HSC function files contain bits signifying whether or not a fault has occurred. Additionally there is a bit signaling the module to auto start. When these bits are set for any of the three modules and the device is moved into a run state, a fault is triggered.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14472 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: Any Description: Requests a specific set of bytes from an undocumented data file and returns the ASCII version of the master password.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-14473 HIGH

An exploitable access control vulnerability exists in the data, program, and function file permissions functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a read or write operation resulting in disclosure of sensitive information, modification of settings, or modification of ladder logic. An attacker can send unauthenticated packets to trigger this vulnerability. Required Keyswitch State: Any Description: Reads the encoded ladder logic from its data file and print it out in HEX.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
CVE-2017-16740 HIGH

A Buffer Overflow issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1400 Controllers, Series B and C Versions 21.002 and earlier. The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-119,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32bxba_firmware *
rockwellautomation 1766-l32bwa_firmware *
rockwellautomation 1766-l32bxb_firmware *
rockwellautomation 1766-l32awa_firmware *
rockwellautomation 1766-l32bwaa_firmware *
rockwellautomation 1766-l32awaa_firmware *
CVE-2017-5176 MEDIUM

A DLL Hijack issue was discovered in Rockwell Automation Connected Components Workbench (CCW). The following versions are affected: Connected Components Workbench - Developer Edition, v9.01.00 and earlier: 9328-CCWDEVENE, 9328-CCWDEVZHE, 9328-CCWDEVFRE, 9328-CCWDEVITE, 9328-CCWDEVDEE, 9328-CCWDEVESE, and 9328-CCWDEVPTE; and Connected Components Workbench - Free Standard Edition (All Supported Languages), v9.01.00 and earlier. Certain DLLs included with versions of CCW software can be potentially hijacked to allow an attacker to gain rights to a victim's affected personal computer. Such access rights can be at the same or potentially higher level of privileges as the compromised user account, including and up to computer administrator privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,CWE-427,

Products Affected

Vendor Product Version
rockwellautomation connected_components_workbench *
CVE-2017-6015 HIGH

Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system. CVSS v3 base score: 8.8, CVSS vector string: (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Rockwell Automation has released a new version of FactoryTalk Activation, Version 4.01, which addresses the identified vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-428,CWE-74,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_activation *
CVE-2017-6024 HIGH

A Resource Exhaustion issue was discovered in Rockwell Automation ControlLogix 5580 controllers V28.011, V28.012, and V28.013; ControlLogix 5580 controllers V29.011; CompactLogix 5380 controllers V28.011; and CompactLogix 5380 controllers V29.011. This vulnerability may allow an attacker to cause a denial of service condition by sending a series of specific CIP-based commands to the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
rockwellautomation controllogix_5580_firmware v28.013
rockwellautomation compactlogix_5380_firmware v29.011
rockwellautomation controllogix_5580_firmware v28.011
rockwellautomation controllogix_5580_firmware v29.011
rockwellautomation controllogix_5580_firmware v28.012
rockwellautomation compactlogix_5380_firmware v28.011
CVE-2017-7898 MEDIUM

An Improper Restriction of Excessive Authentication Attempts issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. There are no penalties for repeatedly entering incorrect passwords.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-307,CWE-307,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32awaa_series_a *
rockwellautomation 1766-l32awaa_series_b *
rockwellautomation 1766-l32bxb_series_a *
rockwellautomation 1766-l32bwaa_series_b *
rockwellautomation 1766-l32bxba_series_a *
rockwellautomation 1766-l32bwa_series_b *
rockwellautomation 1763-l16dwd_series_b *
rockwellautomation 1763-l16bwa_series_a *
rockwellautomation 1763-l16bwa_series_b *
rockwellautomation 1763-l16bbb_series_a *
rockwellautomation 1763-l16bbb_series_b *
rockwellautomation 1766-l32awa_series_a *
rockwellautomation 1766-l32bxb_series_b *
rockwellautomation 1766-l32bwaa_series_a *
rockwellautomation 1766-l32bxba_series_b *
rockwellautomation 1763-l16awa_series_a *
rockwellautomation 1763-l16awa_series_b *
rockwellautomation 1766-l32awa_series_b *
rockwellautomation 1766-l32bwa_series_a *
rockwellautomation 1763-l16dwd_series_a *
CVE-2017-7899 MEDIUM

An Information Exposure issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. User credentials are sent to the web server using the HTTP GET method, which may result in the credentials being logged. This could make user credentials available for unauthorized retrieval.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32awaa_series_a *
rockwellautomation 1766-l32awaa_series_b *
rockwellautomation 1766-l32bxb_series_a *
rockwellautomation 1766-l32bwaa_series_b *
rockwellautomation 1766-l32bxba_series_a *
rockwellautomation 1766-l32bwa_series_b *
rockwellautomation 1763-l16dwd_series_b *
rockwellautomation 1763-l16bwa_series_a *
rockwellautomation 1763-l16bwa_series_b *
rockwellautomation 1763-l16bbb_series_a *
rockwellautomation 1763-l16bbb_series_b *
rockwellautomation 1766-l32awa_series_a *
rockwellautomation 1766-l32bxb_series_b *
rockwellautomation 1766-l32bwaa_series_a *
rockwellautomation 1766-l32bxba_series_b *
rockwellautomation 1763-l16awa_series_a *
rockwellautomation 1763-l16awa_series_b *
rockwellautomation 1766-l32awa_series_b *
rockwellautomation 1766-l32bwa_series_a *
rockwellautomation 1763-l16dwd_series_a *
CVE-2017-7901 HIGH

A Predictable Value Range from Previous Values issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. Insufficiently random TCP initial sequence numbers are generated, which may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections, resulting in a denial of service for the target device.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-343,CWE-330,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32awaa_series_a *
rockwellautomation 1766-l32awaa_series_b *
rockwellautomation 1766-l32bxb_series_a *
rockwellautomation 1766-l32bwaa_series_b *
rockwellautomation 1766-l32bxba_series_a *
rockwellautomation 1766-l32bwa_series_b *
rockwellautomation 1763-l16dwd_series_b *
rockwellautomation 1763-l16bwa_series_a *
rockwellautomation 1763-l16bwa_series_b *
rockwellautomation 1763-l16bbb_series_a *
rockwellautomation 1763-l16bbb_series_b *
rockwellautomation 1766-l32awa_series_a *
rockwellautomation 1766-l32bxb_series_b *
rockwellautomation 1766-l32bwaa_series_a *
rockwellautomation 1766-l32bxba_series_b *
rockwellautomation 1763-l16awa_series_a *
rockwellautomation 1763-l16awa_series_b *
rockwellautomation 1766-l32awa_series_b *
rockwellautomation 1766-l32bwa_series_a *
rockwellautomation 1763-l16dwd_series_a *
CVE-2017-7902 MEDIUM

A "Reusing a Nonce, Key Pair in Encryption" issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. The affected product reuses nonces, which may allow an attacker to capture and replay a valid request until the nonce is changed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-323,CWE-330,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32awaa_series_a *
rockwellautomation 1766-l32awaa_series_b *
rockwellautomation 1766-l32bxb_series_a *
rockwellautomation 1766-l32bwaa_series_b *
rockwellautomation 1766-l32bxba_series_a *
rockwellautomation 1766-l32bwa_series_b *
rockwellautomation 1763-l16dwd_series_b *
rockwellautomation 1763-l16bwa_series_a *
rockwellautomation 1763-l16bwa_series_b *
rockwellautomation 1763-l16bbb_series_a *
rockwellautomation 1763-l16bbb_series_b *
rockwellautomation 1766-l32awa_series_a *
rockwellautomation 1766-l32bxb_series_b *
rockwellautomation 1766-l32bwaa_series_a *
rockwellautomation 1766-l32bxba_series_b *
rockwellautomation 1763-l16awa_series_a *
rockwellautomation 1763-l16awa_series_b *
rockwellautomation 1766-l32awa_series_b *
rockwellautomation 1766-l32bwa_series_a *
rockwellautomation 1763-l16dwd_series_a *
CVE-2017-7903 MEDIUM

A Weak Password Requirements issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. The affected products use a numeric password with a small maximum character size for the password.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-521,CWE-326,

Products Affected

Vendor Product Version
rockwellautomation 1766-l32awaa_series_a *
rockwellautomation 1766-l32awaa_series_b *
rockwellautomation 1766-l32bxb_series_a *
rockwellautomation 1766-l32bwaa_series_b *
rockwellautomation 1766-l32bxba_series_a *
rockwellautomation 1766-l32bwa_series_b *
rockwellautomation 1763-l16dwd_series_b *
rockwellautomation 1763-l16bwa_series_a *
rockwellautomation 1763-l16bwa_series_b *
rockwellautomation 1763-l16bbb_series_a *
rockwellautomation 1763-l16bbb_series_b *
rockwellautomation 1766-l32awa_series_a *
rockwellautomation 1766-l32bxb_series_b *
rockwellautomation 1766-l32bwaa_series_a *
rockwellautomation 1766-l32bxba_series_b *
rockwellautomation 1763-l16awa_series_a *
rockwellautomation 1763-l16awa_series_b *
rockwellautomation 1766-l32awa_series_b *
rockwellautomation 1766-l32bwa_series_a *
rockwellautomation 1763-l16dwd_series_a *
CVE-2017-7914 HIGH

A Missing Authorization issue was discovered in Rockwell Automation PanelView Plus 6 700-1500 6.00.04, 6.00.05, 6.00.42, 6.00-20140306, 6.10.20121012, 6.10-20140122, 7.00-20121012, 7.00-20130108, 7.00-20130325, 7.00-20130619, 7.00-20140128, 7.00-20140310, 7.00-20140429, 7.00-20140621, 7.00-20140729, 7.00-20141022, 8.00-20140730, and 8.00-20141023. There is no authorization check when connecting to the device, allowing an attacker remote access.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-882,CWE-862,

Products Affected

Vendor Product Version
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20140310
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20140429
rockwellautomation panelview_plus_6_700-1500_firmware 6.00.04
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20130108
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20130325
rockwellautomation panelview_plus_6_700-1500_firmware 6.00.05
rockwellautomation panelview_plus_6_700-1500_firmware 8.00-20141023
rockwellautomation panelview_plus_6_700-1500_firmware 6.00-20140306
rockwellautomation panelview_plus_6_700-1500_firmware 6.00.42
rockwellautomation panelview_plus_6_700-1500_firmware 8.00-20140730
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20140621
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20140128
rockwellautomation panelview_plus_6_700-1500_firmware 6.10.20121012
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20140729
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20141022
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20121012
rockwellautomation panelview_plus_6_700-1500_firmware 6.10-20140122
rockwellautomation panelview_plus_6_700-1500_firmware 7.00-20130619
CVE-2017-7924 MEDIUM

An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
rockwellautomation 1763-l16dwd_firmware -
rockwellautomation 1763-l16bwa_firmware -
rockwellautomation 1763-l16bbb_firmware -
rockwellautomation 1763-l16awa_firmware -
CVE-2017-9312 HIGH

Improperly implemented option-field processing in the TCP/IP stack on Allen-Bradley L30ERMS safety devices v30 and earlier causes a denial of service. When a crafted TCP packet is received, the device reboots immediately.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rockwellautomation allen-bradley_l30erms_firmware *
CVE-2018-10619 MEDIUM

An unquoted search path or element in RSLinx Classic Versions 3.90.01 and prior and FactoryTalk Linx Gateway Versions 3.90.00 and prior may allow an authorized, but non-privileged local user to execute arbitrary code and allow a threat actor to escalate user privileges on the affected workstation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-428,CWE-428,

Products Affected

Vendor Product Version
rockwellautomation rslinx_classic *
rockwellautomation factorytalk_linx_gateway *
CVE-2018-14821 MEDIUM

Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to Port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to regain functionality.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-119,

Products Affected

Vendor Product Version
rockwellautomation rslinx *
CVE-2018-14827 MEDIUM

Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-400,

Products Affected

Vendor Product Version
rockwellautomation rslinx *
CVE-2018-14829 HIGH

Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This vulnerability may allow a remote threat actor to intentionally send a malformed CIP packet to Port 44818, causing the software application to stop responding and crash. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the threat actor to remotely execute arbitrary code.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-119,

Products Affected

Vendor Product Version
rockwellautomation rslinx *
CVE-2018-17924 HIGH

Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
rockwellautomation 1756-en3tr_series_b_firmware *
rockwellautomation micrologix_1400_firmware -
rockwellautomation 1756-eweb_series_a_firmware -
rockwellautomation 1756-en2t_series_b_firmware -
rockwellautomation 1756-eweb_series_b_firmware -
rockwellautomation 1756-en2tr_series_c_firmware *
rockwellautomation 1756-en2tr_series_a_firmware -
rockwellautomation 1756-en2t_series_a_firmware -
rockwellautomation 1756-en2t_series_d_firmware *
rockwellautomation 1756-en2f_series_b_firmware -
rockwellautomation 1756-en2f_series_c_firmware *
rockwellautomation 1756-en2f_series_a_firmware -
rockwellautomation 1756-en2t_series_c_firmware -
rockwellautomation 1756-en3tr_series_a_firmware -
rockwellautomation 1756-enbt_firmware -
rockwellautomation 1756-en2tr_series_b_firmware -
CVE-2018-18981 HIGH

In Rockwell Automation FactoryTalk Services Platform 2.90 and earlier, a remote unauthenticated attacker could send numerous crafted packets to service ports resulting in memory consumption that could lead to a partial or complete denial-of-service condition to the affected services.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform *
CVE-2018-19016 HIGH

Rockwell Automation EtherNet/IP Web Server Modules 1756-EWEB (includes 1756-EWEBK) Version 5.001 and earlier, and CompactLogix 1768-EWEB Version 2.005 and earlier. A remote attacker could send a crafted UDP packet to the SNMP service causing a denial-of-service condition to occur until the affected product is restarted.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
rockwellautomation ethernet/ip_web_server_module_1756-eweb *
rockwellautomation ethernet/ip_web_server_module_1768-eweb *
CVE-2018-19282 HIGH

Rockwell Automation PowerFlex 525 AC Drives 5.001 and earlier allow remote attackers to cause a denial of service by crashing the Common Industrial Protocol (CIP) network stack. The vulnerability allows the attacker to crash the CIP in a way that it does not accept new connections, but keeps the current connections active, which can prevent legitimate users from recovering control.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
rockwellautomation powerflex_525_ac_drives_firmware *
CVE-2018-19615 MEDIUM

Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A remote attacker could inject arbitrary code into a targeted user’s web browser to gain access to the affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
rockwellautomation powermonitor_1000_firmware 1408-em3a-ent_b
CVE-2018-19616 MEDIUM

An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
rockwellautomation powermonitor_1000_firmware 1408-em3a-ent_b
CVE-2018-8843 MEDIUM

Rockwell Automation Arena versions 15.10.00 and prior contains a use after free vulnerability caused by processing specially crafted Arena Simulation Software files that may cause the software application to crash, potentially losing any unsaved data..

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2019-10952 HIGH

An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 - 30 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,CWE-787,

Products Affected

Vendor Product Version
rockwellautomation compactlogix_5370_l1_firmware *
rockwellautomation armor_compact_guardlogix_5370_firmware *
rockwellautomation compactlogix_5370_l3_firmware *
rockwellautomation compactlogix_5370_l2_firmware *
CVE-2019-10954 HIGH

An attacker could send crafted SMTP packets to cause a denial-of-service condition where the controller enters a major non-recoverable faulted state (MNRF) in CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 - 30 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
rockwellautomation compactlogix_5370_l1_firmware *
rockwellautomation armor_compact_guardlogix_5370_firmware *
rockwellautomation compactlogix_5370_l3_firmware *
rockwellautomation compactlogix_5370_l2_firmware *
rockwellautomation compact_guardlogix_5370_firmware *
CVE-2019-10955 MEDIUM

In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versions Series B, v15.002 and earlier, MicroLogix 1100 Controllers v14.00 and earlier, CompactLogix 5370 L1 controllers v30.014 and earlier, CompactLogix 5370 L2 controllers v30.014 and earlier, CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) v30.014 and earlier, an open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,CWE-601,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
rockwellautomation compactlogix_5370_l1_firmware *
rockwellautomation micrologix_1400_a_firmware *
rockwellautomation micrologix_1100_firmware *
rockwellautomation compactlogix_5370_l3_firmware *
rockwellautomation compactlogix_5370_l2_firmware *
CVE-2019-10970 HIGH

In Rockwell Automation PanelView 5510 (all versions manufactured before March 13, 2019 that have never been updated to v4.003, v5.002, or later), a remote, unauthenticated threat actor with access to an affected PanelView 5510 Graphic Display, upon successful exploit, may boot-up the terminal and gain root-level access to the device’s file system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation panelview_5510_firmware *
CVE-2019-13510 MEDIUM

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416. A maliciously crafted Arena file opened by an unsuspecting user may result in the application crashing or the execution of arbitrary code.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
rockwellautomation arena *
rockwellautomation arena_simulation_software *
CVE-2019-13511 MEDIUM

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200. A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-416,

Products Affected

Vendor Product Version
rockwellautomation arena *
rockwellautomation arena_simulation_software *
CVE-2019-13519 MEDIUM

A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-843,CWE-843,

Products Affected

Vendor Product Version
rockwellautomation arena *
rockwellautomation arena_simulation *
CVE-2019-13521 MEDIUM

A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-357,NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation arena *
rockwellautomation arena_simulation *
CVE-2019-13527 MEDIUM

In Rockwell Automation Arena Simulation Software Cat. 9502-Ax, Versions 16.00.00 and earlier, a maliciously crafted Arena file opened by an unsuspecting user may result in the use of a pointer that has not been initialized.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-824,CWE-824,

Products Affected

Vendor Product Version
rockwellautomation arena *
rockwellautomation arena_simulation_software *
CVE-2019-6553 HIGH

A vulnerability was found in Rockwell Automation RSLinx Classic versions 4.10.00 and prior. An input validation issue in a .dll file of RSLinx Classic where the data in a Forward Open service request is passed to a fixed size buffer, allowing an attacker to exploit a stack-based buffer overflow condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
rockwellautomation rslinx *
CVE-2020-10642 HIGH

In Rockwell Automation RSLinx Classic versions 4.11.00 and prior, an authenticated local attacker could modify a registry key, which could lead to the execution of malicious code using system privileges when opening RSLinx Classic.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,CWE-732,

Products Affected

Vendor Product Version
rockwellautomation rslinx_classic *
CVE-2020-11999 MEDIUM

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
rockwellautomation rslinx_classic *
rockwellautomation factorytalk_linx 6.10
rockwellautomation factorytalk_linx 6.11
rockwellautomation factorytalk_linx 6.00
CVE-2020-12001 HIGH

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify or expose sensitive data or execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
rockwellautomation rslinx_classic *
rockwellautomation factorytalk_linx 6.10
rockwellautomation factorytalk_linx 6.11
rockwellautomation factorytalk_linx 6.00
CVE-2020-12003 MEDIUM

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
rockwellautomation rslinx_classic *
rockwellautomation factorytalk_linx 6.10
rockwellautomation factorytalk_linx 6.11
rockwellautomation factorytalk_linx 6.00
CVE-2020-12005 HIGH

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a file with bad compression, consuming all the available CPU resources, leading to a denial-of-service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,CWE-434,

Products Affected

Vendor Product Version
rockwellautomation rslinx_classic *
rockwellautomation factorytalk_linx 6.10
rockwellautomation factorytalk_linx 6.11
rockwellautomation factorytalk_linx 6.00
CVE-2020-12025 MEDIUM

Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other resources from the program.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
rockwellautomation studio_5000_logix_designer 32.01
rockwellautomation studio_5000_logix_designer 32.02
rockwellautomation studio_5000_logix_designer 32.00
CVE-2020-12027 MEDIUM

All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
ics-cert@hq.dhs.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2020-12028 MEDIUM

In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 2.1 5.2
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,CWE-306,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2020-12029 MEDIUM

All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
ics-cert@hq.dhs.gov 9.0 CRITICAL CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N 2.5 5.8

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view -
CVE-2020-12031 MEDIUM

In all versions of FactoryTalk View SE, after bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. Rockwell Automation recommends applying patch 1126290. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 0.8 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2020-12033 MEDIUM

In Rockwell Automation FactoryTalk Services Platform, all versions, the redundancy host service (RdcyHost.exe) does not validate supplied identifiers, which could allow an unauthenticated, adjacent attacker to execute remote COM objects with elevated privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform *
CVE-2020-12034 MEDIUM

Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior, RSNetWorx software: Version 28.00.00 and prior, Studio 5000 Logix Designer software: Version 32 and prior) is vulnerable.The EDS subsystem does not provide adequate input sanitation, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This can lead to denial-of-service conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H 2.8 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
rockwellautomation eds_subsystem *
rockwellautomation rsnetworx *
rockwellautomation rslinx_enterprise 6.10.00
rockwellautomation studio_5000_logix_designer *
rockwellautomation rslinx *
rockwellautomation rslinx_enterprise 6.11.00
rockwellautomation rslinx_enterprise 6.00.00
CVE-2020-12038 MEDIUM

Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior, RSNetWorx software: Version 28.00.00 and prior, Studio 5000 Logix Designer software: Version 32 and prior) is vulnerable. A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object, leading to denial-of-service conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
rockwellautomation eds_subsystem *
rockwellautomation rsnetworx *
rockwellautomation rslinx_enterprise 6.10.00
rockwellautomation studio_5000_logix_designer *
rockwellautomation rslinx *
rockwellautomation rslinx_enterprise 6.11.00
rockwellautomation rslinx_enterprise 6.00.00
CVE-2020-13573 MEDIUM

A denial-of-service vulnerability exists in the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic 2.57.00.14 CPR 9 SR 3. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-823,CWE-119,

Products Affected

Vendor Product Version
rockwellautomation rslinx 2.57.00.14
CVE-2020-14478 MEDIUM

A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform *
CVE-2020-14480 LOW

Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-312,CWE-312,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view 10.0
rockwellautomation factorytalk_view *
CVE-2020-14481 LOW

The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-261,CWE-326,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view 10.0
rockwellautomation factorytalk_view *
CVE-2020-14502 MEDIUM

The web interface of the 1734-AENTR communication module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the homepage of the web interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
rockwellautomation 1734-aentr_point_i/o_dual_port_network_adaptor_series_b_firmware *
rockwellautomation 1734-aentr_point_i/o_dual_port_network_adaptor_series_c_firmware 6.012
rockwellautomation 1734-aentr_point_i/o_dual_port_network_adaptor_series_c_firmware 6.011
CVE-2020-14504 MEDIUM

The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-287,

Products Affected

Vendor Product Version
rockwellautomation 1734-aentr_point_i/o_dual_port_network_adaptor_series_b_firmware *
rockwellautomation 1734-aentr_point_i/o_dual_port_network_adaptor_series_c_firmware 6.012
rockwellautomation 1734-aentr_point_i/o_dual_port_network_adaptor_series_c_firmware 6.011
CVE-2020-14516 HIGH

In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.11.00, there is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform that prevents the user password from being hashed properly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-916,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform 6.10.00
rockwellautomation factorytalk_services_platform 6.11.00
CVE-2020-25176 HIGH

Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-23,CWE-22,

Products Affected

Vendor Product Version
schneider-electric pacis_gtw_firmware 6.1
schneider-electric easergy_c5_firmware *
schneider-electric micom_c264_firmware *
schneider-electric pacis_gtw_firmware 5.2
schneider-electric epas_gtw_firmware 6.4
rockwellautomation aadvance_controller *
rockwellautomation isagraf_free_runtime *
xylem multismart_firmware *
rockwellautomation isagraf_runtime *
schneider-electric scd2200_firmware *
schneider-electric saitel_dr_firmware *
rockwellautomation micro850_firmware -
rockwellautomation micro830_firmware -
schneider-electric easergy_t300_firmware *
rockwellautomation micro820_firmware -
rockwellautomation micro870_firmware -
schneider-electric pacis_gtw_firmware 5.1
rockwellautomation micro810_firmware -
schneider-electric saitel_dp_firmware *
schneider-electric pacis_gtw_firmware 6.3
CVE-2020-25178 HIGH

ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP. This communication protocol provides various file system operations, as well as the uploading of applications. Data is transferred over this protocol unencrypted, which could allow a remote unauthenticated attacker to upload, read, and delete files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
schneider-electric pacis_gtw_firmware 6.1
schneider-electric easergy_c5_firmware *
schneider-electric micom_c264_firmware *
schneider-electric pacis_gtw_firmware 5.2
schneider-electric epas_gtw_firmware 6.4
rockwellautomation aadvance_controller *
rockwellautomation isagraf_free_runtime *
xylem multismart_firmware *
rockwellautomation isagraf_runtime *
schneider-electric scd2200_firmware *
schneider-electric saitel_dr_firmware *
rockwellautomation micro850_firmware -
rockwellautomation micro830_firmware -
schneider-electric easergy_t300_firmware *
rockwellautomation micro820_firmware -
rockwellautomation micro870_firmware -
schneider-electric pacis_gtw_firmware 5.1
rockwellautomation micro810_firmware -
schneider-electric saitel_dp_firmware *
schneider-electric pacis_gtw_firmware 6.3
CVE-2020-25180 MEDIUM

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the tiny encryption algorithm (TEA) on an entered or saved password. A remote, unauthenticated attacker could pass their own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 1.6 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-321,CWE-798,

Products Affected

Vendor Product Version
schneider-electric pacis_gtw_firmware 6.1
schneider-electric easergy_c5_firmware *
schneider-electric micom_c264_firmware *
schneider-electric pacis_gtw_firmware 5.2
schneider-electric epas_gtw_firmware 6.4
rockwellautomation aadvance_controller *
rockwellautomation isagraf_free_runtime *
xylem multismart_firmware *
rockwellautomation isagraf_runtime *
schneider-electric scd2200_firmware *
schneider-electric saitel_dr_firmware *
rockwellautomation micro850_firmware -
rockwellautomation micro830_firmware -
schneider-electric easergy_t300_firmware *
rockwellautomation micro820_firmware -
rockwellautomation micro870_firmware -
schneider-electric pacis_gtw_firmware 5.1
rockwellautomation micro810_firmware -
schneider-electric saitel_dp_firmware *
schneider-electric pacis_gtw_firmware 6.3
CVE-2020-25182 MEDIUM

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x searches for and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects ISaGRAF Runtime when running on Microsoft Windows systems.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9
ics-cert@hq.dhs.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,CWE-427,

Products Affected

Vendor Product Version
schneider-electric pacis_gtw_firmware 6.1
schneider-electric easergy_c5_firmware *
schneider-electric micom_c264_firmware *
schneider-electric pacis_gtw_firmware 5.2
schneider-electric epas_gtw_firmware 6.4
rockwellautomation aadvance_controller *
rockwellautomation isagraf_free_runtime *
xylem multismart_firmware *
rockwellautomation isagraf_runtime *
schneider-electric scd2200_firmware *
schneider-electric saitel_dr_firmware *
rockwellautomation micro850_firmware -
rockwellautomation micro830_firmware -
schneider-electric easergy_t300_firmware *
rockwellautomation micro820_firmware -
rockwellautomation micro870_firmware -
schneider-electric pacis_gtw_firmware 5.1
rockwellautomation micro810_firmware -
schneider-electric saitel_dp_firmware *
schneider-electric pacis_gtw_firmware 6.3
CVE-2020-25184 LOW

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-256,CWE-522,

Products Affected

Vendor Product Version
schneider-electric pacis_gtw_firmware 6.1
schneider-electric easergy_c5_firmware *
schneider-electric micom_c264_firmware *
schneider-electric pacis_gtw_firmware 5.2
schneider-electric epas_gtw_firmware 6.4
rockwellautomation aadvance_controller *
rockwellautomation isagraf_free_runtime *
xylem multismart_firmware *
rockwellautomation isagraf_runtime *
schneider-electric scd2200_firmware *
schneider-electric saitel_dr_firmware *
rockwellautomation micro850_firmware -
rockwellautomation micro830_firmware -
schneider-electric easergy_t300_firmware *
rockwellautomation micro820_firmware -
rockwellautomation micro870_firmware -
schneider-electric pacis_gtw_firmware 5.1
rockwellautomation micro810_firmware -
schneider-electric saitel_dp_firmware *
schneider-electric pacis_gtw_firmware 6.3
CVE-2020-27251 HIGH

A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2020-27253 HIGH

A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2020-27255 MEDIUM

A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of address space layout randomization (ASLR).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2020-27263 MEDIUM

KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
ge industrial_gateway_server 7.68.804
ptc kepware_kepserverex 6.9
ptc thingworx_kepware_server 6.9
ptc kepware_kepserverex 6.0
rockwellautomation kepserver_enterprise 6.9.572.0
rockwellautomation kepserver_enterprise 6.6.504.0
ptc thingworx_kepware_server 6.8
ptc opc-aggregator -
ptc thingworx_industrial_connectivity -
ge industrial_gateway_server 7.66
softwaretoolbox top_server *
CVE-2020-27265 HIGH

KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions are vulnerable to a stack-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and remotely execute code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
ge industrial_gateway_server 7.68.804
ptc kepware_kepserverex 6.9
ptc thingworx_kepware_server 6.9
ptc kepware_kepserverex 6.0
rockwellautomation kepserver_enterprise 6.9.572.0
rockwellautomation kepserver_enterprise 6.6.504.0
ptc thingworx_kepware_server 6.8
ptc opc-aggregator -
ptc thingworx_industrial_connectivity -
ge industrial_gateway_server 7.66
softwaretoolbox top_server *
CVE-2020-27267 MEDIUM

KEPServerEX v6.0 to v6.9, ThingWorx Kepware Server v6.8 and v6.9, ThingWorx Industrial Connectivity (all versions), OPC-Aggregator (all versions), Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server v7.68.804 and v7.66, and Software Toolbox TOP Server all 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-787,

Products Affected

Vendor Product Version
ge industrial_gateway_server 7.68.804
ptc kepware_kepserverex 6.9
ptc thingworx_kepware_server 6.9
ptc kepware_kepserverex 6.0
rockwellautomation kepserver_enterprise 6.9.572.0
rockwellautomation kepserver_enterprise 6.6.504.0
ptc thingworx_kepware_server 6.8
ptc opc-aggregator -
ptc thingworx_industrial_connectivity -
ge industrial_gateway_server 7.66
softwaretoolbox top_server *
CVE-2020-5801 MEDIUM

An attacker can craft and send an OpenNamespace message to port 4241 with valid session-id that triggers an unhandled exception in CFTLDManager::HandleRequest function in RnaDaSvr.dll, resulting in process termination. Observed in FactoryTalk Linx 6.11. All versions of FactoryTalk Linx are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2020-5802 MEDIUM

An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241. This will cause an unhandled exception, resulting in termination of RSLinxNG.exe. Observed in FactoryTalk 6.11. All versions of FactoryTalk Linx are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2020-5806 LOW

An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest in messaging.dll. This can be done by sending a specially crafted message to 127.0.0.1:7153. Observed in FactoryTalk Linx 6.11. All versions of FactoryTalk Linx are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-770,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2020-5807 MEDIUM

An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. The attacker can specify long fields in the log entry, which can cause an unhandled exception in wcscpy_s() if a local user opens FactoryTalk Diagnostics Viewer (FTDiagViewer.exe) to view the log entry. Observed in FactoryTalk Diagnostics 6.11. All versions of FactoryTalk Diagnostics are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_diagnostics *
CVE-2020-6083 MEDIUM

An exploitable denial of service vulnerability exists in the ENIP Request Path Port Segment functionality of Allen-Bradley Flex IO 1794-AENT/B. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
rockwellautomation allen-bradley_flex_io_1794-aent/b_firmware 4.003
CVE-2020-6084 HIGH

An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability by sending an Electronic Key Segment with less bytes than required by the Key Format Table.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
rockwellautomation flex_i/o_1794-aent 4.003
CVE-2020-6085 HIGH

An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability by sending an Electronic Key Segment with less than 0x18 bytes following the Key Format field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
rockwellautomation flex_i/o_1794-aent 4.003
CVE-2020-6086 HIGH

An exploitable denial of service vulnerability exists in the ENIP Request Path Data Segment functionality of Allen-Bradley Flex IO 1794-AENT/B. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.If the Simple Segment Sub-Type is supplied, the device treats the byte following as the Data Size in words. When this value represents a size greater than what remains in the packet data, the device enters a fault state where communication with the device is lost and a physical power cycle is required.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
rockwellautomation flex_i/o_1794-aent/b_firmware 4.003
CVE-2020-6087 HIGH

An exploitable denial of service vulnerability exists in the ENIP Request Path Data Segment functionality of Allen-Bradley Flex IO 1794-AENT/B. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability If the ANSI Extended Symbol Segment Sub-Type is supplied, the device treats the byte following as the Data Size in words. When this value represents a size greater than what remains in the packet data, the device enters a fault state where communication with the device is lost and a physical power cycle is required.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
rockwellautomation flex_i/o_1794-aent/b_firmware 4.003
CVE-2020-6088 MEDIUM

An exploitable denial of service vulnerability exists in the ENIP Request Path Network Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
rockwellautomation flex_io_1794-aent/b_firmware 4.003
CVE-2020-6111 MEDIUM

An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and Series B FRN 10.000. A specially crafted packet can cause a major error, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_b_firmware 13.000
rockwellautomation micrologix_1100_b_firmware 15.002
rockwellautomation micrologix_1100_b_firmware 11.000
rockwellautomation micrologix_1100_b_firmware 12.000
rockwellautomation micrologix_1100_b_firmware 16.000
rockwellautomation micrologix_1100_b_firmware 14.000
rockwellautomation micrologix_1100_b_firmware 10.000
rockwellautomation micrologix_1100_b_firmware 15.000
CVE-2020-6967 HIGH

In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform -
CVE-2020-6980 LOW

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project may be able to gather SMTP server authentication data as it is written to the project file in cleartext.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-312,CWE-312,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
rockwellautomation rslogix_500 *
rockwellautomation micrologix_1400_a_firmware *
rockwellautomation micrologix_1100_firmware *
CVE-2020-6984 MEDIUM

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic function utilized to protect the password in MicroLogix is discoverable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,CWE-327,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
rockwellautomation rslogix_500 *
rockwellautomation micrologix_1400_a_firmware *
rockwellautomation micrologix_1100_firmware *
CVE-2020-6988 MEDIUM

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller. The controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-603,CWE-287,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
rockwellautomation rslogix_500 *
rockwellautomation micrologix_1400_a_firmware *
rockwellautomation micrologix_1100_firmware *
CVE-2020-6990 HIGH

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-321,CWE-798,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_b_firmware *
rockwellautomation rslogix_500 *
rockwellautomation micrologix_1400_a_firmware *
rockwellautomation micrologix_1100_firmware *
CVE-2020-6998

The connection establishment algorithm found in Rockwell Automation CompactLogix 5370 and ControlLogix 5570 versions 33 and prior does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP packet requests to a controller, which may cause denial-of-service conditions in communications with other products.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0
ics-cert@hq.dhs.gov 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5580_firmware *
rockwellautomation guardlogix_5560_firmware *
rockwellautomation compactlogix_5370_l1_firmware *
rockwellautomation controllogix_5570_firmware *
rockwellautomation armor_compact_guardlogix_5370_firmware *
rockwellautomation compactlogix_5370_l3_firmware *
rockwellautomation compactlogix_5370_l2_firmware *
rockwellautomation compact_guardlogix_5370_firmware *
rockwellautomation guardlogix_5570_firmware *
CVE-2021-22659 HIGH

Rockwell Automation MicroLogix 1400 Version 21.6 and below may allow a remote unauthenticated attacker to send a specially crafted Modbus packet allowing the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400_firmware *
CVE-2021-22665 HIGH

Rockwell Automation DriveTools SP v5.13 and below and Drives AOP v4.12 and below both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-427,

Products Affected

Vendor Product Version
rockwellautomation drivetools_sp *
rockwellautomation drivetools_add-on_profiles *
CVE-2021-22681 HIGH

Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-522,CWE-522,

Products Affected

Vendor Product Version
rockwellautomation studio_5000_logix_designer *
rockwellautomation factorytalk_services_platform *
rockwellautomation rslogix_5000 *
CVE-2021-27460 HIGH

Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27462 HIGH

A deserialization vulnerability exists in how the AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27464 HIGH

The ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27466 HIGH

A deserialization vulnerability exists in how the ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27468 HIGH

The AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27470 HIGH

A deserialization vulnerability exists in how the LogService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27471 MEDIUM

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0
ics-cert@hq.dhs.gov 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
rockwellautomation connected_components_workbench *
CVE-2021-27472 HIGH

A vulnerability exists in the RunSearch function of SearchService service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier, which may allow for the execution of remote unauthenticated arbitrary SQL statements.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27473 MEDIUM

Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 1.8 3.7
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
rockwellautomation connected_components_workbench *
CVE-2021-27474 MEDIUM

Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-676,NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-27475 MEDIUM

Rockwell Automation Connected Components Workbench v12.00.00 and prior does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,CWE-502,

Products Affected

Vendor Product Version
rockwellautomation connected_components_workbench *
CVE-2021-27476 HIGH

A vulnerability exists in the SaveConfigFile function of the RACompare Service, which may allow for OS command injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H 3.9 5.8

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2021-32926 MEDIUM

When an authenticated password change request takes place, this vulnerability could allow the attacker to intercept the message that includes the legitimate, new password hash and replace it with an illegitimate hash. The user would no longer be able to authenticate to the controller (Micro800: All versions, MicroLogix 1400: Version 21 and later) causing a denial-of-service condition

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-300,NVD-CWE-Other,

Products Affected

Vendor Product Version
rockwellautomation micro800_firmware *
rockwellautomation micrologix_1400_firmware *
CVE-2021-32960 MEDIUM

Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform *
CVE-2021-33012 MEDIUM

Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, which results in a denial-of-service condition. If successfully exploited, this vulnerability will cause the controller to fault whenever the controller is switched to RUN mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware *
CVE-2022-1018 MEDIUM

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 1.8 3.6
ics-cert@hq.dhs.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
rockwellautomation connected_components_workbench *
rockwellautomation safety_instrumented_systems_workstation *
rockwellautomation isagraf *
CVE-2022-1118 MEDIUM

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
rockwellautomation safety_instrumented_systems_workstation *
rockwellautomation connected_component_workbench *
rockwellautomation isagraf_workbench *
CVE-2022-1159 MEDIUM

Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
ics-cert@hq.dhs.gov 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-94,

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5580_firmware *
rockwellautomation controllogix_5580_firmware *
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compact_guardlogix_5380_firmware *
rockwellautomation compactlogix_5380_firmware *
CVE-2022-1161 HIGH

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-829,

Products Affected

Vendor Product Version
rockwellautomation compactlogix_1769-l32e_firmware *
rockwellautomation compactlogix_5370_l3_firmware *
rockwellautomation compactlogix_1769-l31_firmware *
rockwellautomation compact_guardlogix_5380_firmware *
rockwellautomation softlogix_5800_firmware *
rockwellautomation guardlogix_5560_firmware *
rockwellautomation compactlogix_5370_l1_firmware *
rockwellautomation compactlogix_1769-l32c_firmware *
rockwellautomation controllogix_5570_firmware *
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compactlogix_1769-l35e_firmware *
rockwellautomation compactlogix_5370_l2_firmware *
rockwellautomation compactlogix_1768-l45_firmware *
rockwellautomation flexlogix_1794-l34_firmware *
rockwellautomation compact_guardlogix_5370_firmware *
rockwellautomation controllogix_5550_firmware *
rockwellautomation guardlogix_5580_firmware *
rockwellautomation compactlogix_1769-l35cr_firmware *
rockwellautomation drivelogix_5730_firmware *
rockwellautomation controllogix_5560_firmware *
rockwellautomation compactlogix_1768-l43_firmware *
rockwellautomation controllogix_5580_firmware *
rockwellautomation guardlogix_5570_firmware *
rockwellautomation compactlogix_5380_firmware *
CVE-2022-1797 HIGH

A malformed Class 3 common industrial protocol message with a cached connection can cause a denial-of-service condition in Rockwell Automation Logix Controllers, resulting in a major nonrecoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H 2.2 4.0
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5580_firmware *
rockwellautomation compactlogix_5370_firmware *
rockwellautomation controllogix_5570_firmware *
rockwellautomation controllogix_5580_firmware *
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compact_guardlogix_5370_firmware *
rockwellautomation compact_guardlogix_5380_firmware *
rockwellautomation guardlogix_5570_firmware *
rockwellautomation compactlogix_5380_firmware *
CVE-2022-2179

The X-Frame-Options header in Rockwell Automation MicroLogix 1100/1400 Versions 21.007 and prior is not configured in the HTTP response, which could allow clickjacking attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
ics-cert@hq.dhs.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware *
rockwellautomation micrologix_1400_firmware *
CVE-2022-2463

Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6.6.9 are affected by a Path Traversal vulnerability. A crafted malicious .7z exchange file may allow an attacker to gain the privileges of the ISaGRAF Workbench software when opened. If the software is running at the SYSTEM level, then the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
ics-cert@hq.dhs.gov 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 1.8 3.7

Products Affected

Vendor Product Version
rockwellautomation isagraf_workbench *
CVE-2022-2464

Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6.6.9 are affected by a Path Traversal vulnerability. Crafted malicious files can allow an attacker to traverse the file system when opened by ISaGRAF Workbench. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
ics-cert@hq.dhs.gov 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
rockwellautomation isagraf_workbench *
CVE-2022-2465

Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6.6.9 are affected by a Deserialization of Untrusted Data vulnerability. ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
ics-cert@hq.dhs.gov 8.6 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 1.8 6.0

Products Affected

Vendor Product Version
rockwellautomation isagraf_workbench *
CVE-2022-2825

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-18411.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ptc thingworx_kepware_edge *
ptc opc-aggregator *
ptc kepware_kepserverex *
ptc thingworx_kepware_server *
rockwellautomation kepserver_enterprise *
ge industrial_gateway_server *
ptc thingworx_industrial_connectivity -
softwaretoolbox top_server *
CVE-2022-2848

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16486.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

Products Affected

Vendor Product Version
ptc thingworx_kepware_edge *
ptc opc-aggregator *
ptc kepware_kepserverex *
ptc thingworx_kepware_server *
rockwellautomation kepserver_enterprise *
ge industrial_gateway_server *
ptc thingworx_industrial_connectivity -
softwaretoolbox top_server *
CVE-2022-3156

A remote code execution vulnerability exists in Rockwell Automation Studio 5000 Logix Emulate software.  Users are granted elevated permissions on certain product services when the software is installed. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

Products Affected

Vendor Product Version
rockwellautomation studio_5000_logix_emulate *
CVE-2022-3157

A vulnerability exists in the Rockwell Automation controllers that allows a malformed CIP request to cause a major non-recoverable fault (MNRF) and a denial-of-service condition (DOS).

Products Affected

Vendor Product Version
rockwellautomation compactlogix_5370_firmware *
rockwellautomation controllogix_5570_redundancy_firmware *
rockwellautomation controllogix_5570_firmware *
rockwellautomation compact_guardlogix_5370_firmware *
rockwellautomation compact_guardlogix_5380_firmware *
rockwellautomation guardlogix_5570_firmware *
CVE-2022-3158

Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an input validation vulnerability. The FactoryTalk VantagePoint SQL Server lacks input validation when users enter SQL statements to retrieve information from the back-end database. If successfully exploited, this could allow a user with basic user privileges to perform remote code execution on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_vantagepoint 8.20
rockwellautomation factorytalk_vantagepoint 8.10
rockwellautomation factorytalk_vantagepoint 8.31
rockwellautomation factorytalk_vantagepoint 8.30
rockwellautomation factorytalk_vantagepoint 8.0
CVE-2022-3166

Rockwell Automation was made aware that the webservers of the Micrologix 1100 and 1400 controllers contain a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device

Products Affected

Vendor Product Version
rockwellautomation micrologix_1100_firmware -
rockwellautomation micrologix_1400_firmware -
CVE-2022-3752

An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading to cause a denial-of-service condition in Rockwell Automation Logix controllers resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5580_firmware *
rockwellautomation compactlogix_5580_firmware *
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compact_guardlogix_5380_firmware *
rockwellautomation compactlogix_5380_firmware *
CVE-2022-38742

Rockwell Automation ThinManager ThinServer versions 11.0.0 - 13.0.0 is vulnerable to a heap-based buffer overflow. An attacker could send a specifically crafted TFTP or HTTPS request, causing a heap-based buffer overflow that crashes the ThinServer process. If successfully exploited, this could expose the server to arbitrary remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
CVE-2022-38743

Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an improper access control vulnerability. The FactoryTalk VantagePoint SQL Server account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database. If successfully exploited, this could allow the attacker to execute arbitrary code and gain access to restricted data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_vantagepoint 8.20
rockwellautomation factorytalk_vantagepoint 8.10
rockwellautomation factorytalk_vantagepoint 8.31
rockwellautomation factorytalk_vantagepoint 8.30
rockwellautomation factorytalk_vantagepoint 8.0
CVE-2022-38744

An unauthenticated attacker with network access to a victim's Rockwell Automation FactoryTalk Alarm and Events service could open a connection, causing the service to fault and become unavailable. The affected port could be used as a server ping port and uses messages structured with XML.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation factorytalk_alarms_and_events -
CVE-2022-46670

Rockwell Automation was made aware of a vulnerability by a security researcher from Georgia Institute of Technology that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution.  The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

Products Affected

Vendor Product Version
rockwellautomation micrologix_1400-c_firmware *
rockwellautomation micrologix_1100_firmware -
rockwellautomation micrologix_1400_firmware -
rockwellautomation micrologix_1400-a_firmware *
rockwellautomation micrologix_1400-b_firmware *
CVE-2023-0027

Rockwell Automation Modbus TCP Server AOI prior to 2.04.00 is vulnerable to an unauthorized user sending a malformed message that could cause the controller to respond with a copy of the most recent response to the last valid request. If exploited, an unauthorized user could read the connected device’s Modbus TCP Server AOI information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
rockwellautomation modbus_tcp_server_add_on_instructions *
CVE-2023-0754

The affected products are vulnerable to an integer overflow or wraparound, which could  allow an attacker to crash the server and remotely execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ptc thingworx_.net-sdk *
ptc thingworx_kepware_edge *
ge digital_industrial_gateway_server *
ptc thingworx_edge_c-sdk *
ptc thingworx_industrial_connectivity *
rockwellautomation kepserver_enterprise *
ptc thingworx_edge_microserver *
ptc kepware_server *
ptc kepware_serverex *
CVE-2023-0755

The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ptc thingworx_.net-sdk *
ptc thingworx_kepware_edge *
ge digital_industrial_gateway_server *
ptc thingworx_edge_c-sdk *
rockwellautomation kepserver_enterprise *
ptc thingworx_edge_microserver *
ptc kepware_server *
ptc thingworx_industrial_connectivity -
ptc kepware_serverex *
CVE-2023-1834

Rockwell Automation was made aware that Kinetix 5500 drives, manufactured between May 2022 and January 2023, and are running v7.13 may have the telnet and FTP ports open by default.  This could potentially allow attackers unauthorized access to the device through the open ports.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 3.9 5.5

Products Affected

Vendor Product Version
rockwellautomation kinetix_5500_firmware 7.13
CVE-2023-20198

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
ykramarz@cisco.com 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

Products Affected

Vendor Product Version
cisco ios_xe *
rockwellautomation allen-bradley_stratix_5200_firmware *
rockwellautomation allen-bradley_stratix_5800_firmware *
CVE-2023-2071

Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files.  By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2023-2072

The Rockwell Automation PowerMonitor 1000 contains stored cross-site scripting vulnerabilities within the web page of the product.  The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
rockwellautomation powermonitor_1000_firmware -
CVE-2023-2262

A buffer overflow vulnerability exists in the Rockwell Automation select 1756-EN* communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation 1756-en2tk_series_c_firmware *
rockwellautomation 1756-en2fk_series_a_firmware *
rockwellautomation 1756-en2t_series_a_firmware *
rockwellautomation 1756-en2tk_series_a_firmware *
rockwellautomation 1756-en2t_series_c_firmware *
rockwellautomation 1756-en2trxt_series_a_firmware *
rockwellautomation 1756-en3trk_series_a_firmware *
rockwellautomation 1756-en2tk_series_b_firmware *
rockwellautomation 1756-en2txt_series_b_firmware *
rockwellautomation 1756-en2trk_series_b_firmware *
rockwellautomation 1756-en2tr_series_b_firmware *
rockwellautomation 1756-en2f_series_b_firmware *
rockwellautomation 1756-en2txt_series_c_firmware *
rockwellautomation 1756-en2tpxt_series_a_firmware *
rockwellautomation 1756-en2tp_series_a_firmware *
rockwellautomation 1756-en2trk_series_a_firmware *
rockwellautomation 1756-en2fk_series_c_firmware *
rockwellautomation 1756-en3trk_series_b_firmware *
rockwellautomation 1756-en2f_series_a_firmware *
rockwellautomation 1756-en2txt_series_d_firmware *
rockwellautomation 1756-en3tr_series_a_firmware *
rockwellautomation 1756-en2trxt_series_c_firmware *
rockwellautomation 1756-en2fk_series_b_firmware *
rockwellautomation 1756-en3tr_series_b_firmware *
rockwellautomation 1756-en2trk_series_c_firmware *
rockwellautomation 1756-en2trxt_series_b_firmware *
rockwellautomation 1756-en2t_series_b_firmware *
rockwellautomation 1756-en2tr_series_c_firmware *
rockwellautomation 1756-en2t_series_d_firmware *
rockwellautomation 1756-en2txt_series_a_firmware *
rockwellautomation 1756-en2f_series_c_firmware *
rockwellautomation 1756-en2tr_series_a_firmware *
rockwellautomation 1756-en2tpk_series_a_firmware *
CVE-2023-2263

The Rockwell Automation Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing.  The new ENIP connections cannot be established if impacted by this vulnerability,  which prohibits operational capabilities of the device resulting in a denial-of-service attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation kinetix_5700_firmware 13.001
CVE-2023-2423

A vulnerability was discovered in the Rockwell Automation Armor PowerFlex device when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset creating a denial-of-service condition. The error code would need to be cleared prior to resuming normal operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
rockwellautomation armor_powerflex_firmware *
CVE-2023-2443

Rockwell Automation ThinManager product allows the use of medium strength ciphers.  If the client requests an insecure cipher, a malicious actor could potentially decrypt traffic sent between the client and server API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
CVE-2023-2444

A cross site request forgery vulnerability exists in Rockwell Automation's FactoryTalk Vantagepoint. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk Vantagepoint server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product.  Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk Vantagepoint website, enters credentials for the FactoryTalk Vantagepoint server, and clicks on the malicious link a cross site request forgery attack would be successful as well.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H 1.6 5.5

Products Affected

Vendor Product Version
rockwellautomation factorytalk_vantagepoint *
CVE-2023-2637

Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies.  Hard-coded cryptographic key may lead to privilege escalation.  This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H 1.5 5.3

Products Affected

Vendor Product Version
rockwellautomation factorytalk_policy_manager 6.11.0
rockwellautomation factorytalk_system_services 6.11.0
CVE-2023-2638

Rockwell Automation's FactoryTalk System Services does not verify that a backup configuration archive is password protected.   Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives.  This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk System Services as a valid backup when a restore procedure takes places. User interaction is required for this vulnerability to be successfully exploited.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 5.9 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H 1.5 4.0

Products Affected

Vendor Product Version
rockwellautomation factorytalk_policy_manager 6.11.0
rockwellautomation factorytalk_system_services 6.11.0
CVE-2023-2639

The underlying feedback mechanism of Rockwell Automation's FactoryTalk System Services that transfers the FactoryTalk Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device.  This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk Policy Manager is installed and potentially the entire security policy. 

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 2.3 1.4

Products Affected

Vendor Product Version
rockwellautomation factorytalk_policy_manager 6.11.0
rockwellautomation factorytalk_system_services 6.11.0
CVE-2023-2746

The Rockwell Automation Enhanced HIM software contains an API that the application uses that is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
rockwellautomation enhanced_him 1.001
CVE-2023-2778

A denial-of-service vulnerability exists in Rockwell Automation FactoryTalk Transaction Manager. This vulnerability can be exploited by sending a modified packet to port 400. If exploited, the application could potentially crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The application would need to be restarted to recover from the DoS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation factorytalk_transaction_manager *
CVE-2023-27854

An arbitrary code execution vulnerability was reported to Rockwell Automation in Arena Simulation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
rockwellautomation arena_simulation *
CVE-2023-27855

In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinmanager 13.0.1
rockwellautomation thinmanager 13.0.0
CVE-2023-27856

In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinmanager 13.0.1
rockwellautomation thinmanager 13.0.0
CVE-2023-27857

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field in Rockwell Automation's ThinManager ThinServer.  An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinmanager 13.0.0
CVE-2023-27858

Rockwell Automation Arena Simulation contains an arbitrary code execution vulnerability that could potentially allow a malicious user to commit unauthorized code to the software by using an uninitialized pointer in the application.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
rockwellautomation arena_simulation *
CVE-2023-29022

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29023

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29024

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29025

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29026

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29027

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29028

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29029

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29030

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-29031

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
rockwellautomation armorstart_st_281e_firmware -
rockwellautomation armorstart_st_284ee_firmware -
CVE-2023-2913

An executable used in Rockwell Automation ThinManager ThinServer can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
CVE-2023-2914

The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message and causing a denial of service condition in the software.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager_thinserver *
rockwellautomation thinmanager_thinserver 13.1.0
CVE-2023-2915

The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message resulting in a denial-of-service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H 3.9 5.2
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager_thinserver *
rockwellautomation thinmanager_thinserver 13.1.0
CVE-2023-2917

The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability.  Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed.  A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message and potentially gain remote code execution abilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation thinmanager_thinserver *
rockwellautomation thinmanager_thinserver 13.1.0
CVE-2023-29460

An arbitrary code execution vulnerability contained in Rockwell Automation's Arena Simulation software was reported that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow potentially resulting in a complete loss of confidentiality, integrity, and availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena_simulation 16.00.00
rockwellautomation arena_simulation 16.20.00
rockwellautomation arena 16.00.00
rockwellautomation arena 16.20.00
CVE-2023-29461

An arbitrary code execution vulnerability contained in Rockwell Automation's Arena Simulation software was reported that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap. potentially resulting in a complete loss of confidentiality, integrity, and availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena_simulation 16.00.00
rockwellautomation arena_simulation 16.20.00
rockwellautomation arena 16.00.00
rockwellautomation arena 16.20.00
CVE-2023-29462

An arbitrary code execution vulnerability contained in Rockwell Automation's Arena Simulation software was reported that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap. potentially resulting in a complete loss of confidentiality, integrity, and availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena_simulation 16.20.01
rockwellautomation arena_simulation 16.00.00
rockwellautomation arena 16.20.01
rockwellautomation arena 16.00.00
CVE-2023-29463

The JMX Console within the Rockwell Automation Pavilion8 is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5
PSIRT@rockwellautomation.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
rockwellautomation pavilion8 *
CVE-2023-29464

FactoryTalk Linx, in the Rockwell Automation PanelView Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk Linx over the common industrial protocol.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx 6.30
rockwellautomation factorytalk_linx 6.20
CVE-2023-3595

Where this vulnerability exists in the Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation 1756-en3tr_series_b_firmware -
rockwellautomation 1756-en2f_series_c_firmware -
rockwellautomation 1756-en2t_series_b_firmware -
rockwellautomation 1756-en2tr_series_c_firmware -
rockwellautomation 1756-en2tr_series_a_firmware -
rockwellautomation 1756-en2t_series_d_firmware -
rockwellautomation 1756-en2t_series_a_firmware -
rockwellautomation 1756-en2f_series_b_firmware -
rockwellautomation 1756-en2f_series_a_firmware -
rockwellautomation 1756-en2t_series_c_firmware -
rockwellautomation 1756-en3tr_series_a_firmware -
rockwellautomation 1756-en2tr_series_b_firmware -
CVE-2023-3596

Where this vulnerability exists in the Rockwell Automation 1756-EN4* Ethernet/IP communication products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation 1756-en4trk_firmware -
rockwellautomation 1756-en4tr_firmware -
rockwellautomation 1756-en4trxt_firmware -
CVE-2023-46289

Rockwell Automation FactoryTalk View Site Edition insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2023-46290

Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform *
CVE-2023-5908

KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2
ics-cert@hq.dhs.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

Products Affected

Vendor Product Version
ptc thingworx_kepware_edge *
ptc opc-aggregator *
ptc thingworx_kepware_server *
rockwellautomation kepserver_enterprise *
ge industrial_gateway_server *
ptc thingworx_industrial_connectivity -
softwaretoolbox top_server *
ptc keepserverex *
CVE-2023-5909

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
ptc thingworx_kepware_edge *
ptc opc-aggregator *
ptc thingworx_kepware_server *
rockwellautomation kepserver_enterprise *
ge industrial_gateway_server *
ptc thingworx_industrial_connectivity -
softwaretoolbox top_server *
ptc keepserverex *
CVE-2024-10386

CVE-2024-10386 IMPACT An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinmanager 14.0.0
CVE-2024-10387

CVE-2024-10387 IMPACT A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinmanager 14.0.0
CVE-2024-11156

An “out of bounds write” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-11364

Another “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.3 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-12130

An “out of bounds read” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-21912

An arbitrary code execution vulnerability in Rockwell Automation Arena Simulation could let a malicious user insert unauthorized code into the software. This is done by writing beyond the designated memory area, which causes an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-21913

A heap-based memory buffer overflow vulnerability in Rockwell Automation Arena Simulation software could potentially allow a malicious user to insert unauthorized code into the software by overstepping the memory boundaries, which triggers an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-21914

A vulnerability exists in the affected product that allows a malicious user to restart the Rockwell Automation PanelView™ Plus 7 terminal remotely without security protections. If the vulnerability is exploited, it could lead to the loss of view or control of the PanelView™ product.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2024-21915

A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform *
CVE-2024-21916

A denial-of-service vulnerability exists in specific Rockwell Automation ControlLogix ang GuardLogix controllers. If exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
PSIRT@rockwellautomation.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5570_controller_firmware 20.011
rockwellautomation controllogix_5570_controller_firmware 20.011
rockwellautomation controllogix_5570_redundant_controller_firmware 20.054_kit1
CVE-2024-21917

A vulnerability exists in Rockwell Automation FactoryTalk® Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory.  If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_services_platform *
CVE-2024-21918

A memory buffer vulnerability in Rockwell Automation Arena Simulation software could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-21919

An uninitialized pointer in Rockwell Automation Arena Simulation software could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-21920

A memory buffer vulnerability in Rockwell Automation Arena Simulation could potentially let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L 1.8 2.5

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-2424

An input validation vulnerability exists in the Rockwell Automation 5015-AENFTXT that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation 5015-aenftxt_firmware 2.011
CVE-2024-2425

A denial-of-service vulnerability exists in the Rockwell Automation PowerFlex® 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation powerflex_527_ac_drives_firmware *
CVE-2024-2426

A denial-of-service vulnerability exists in the Rockwell Automation PowerFlex® 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation powerflex_527_ac_drives_firmware *
CVE-2024-2427

A denial-of-service vulnerability exists in the Rockwell Automation PowerFlex® 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation powerflex_527_ac_drives_firmware *
CVE-2024-2929

A memory corruption vulnerability in Rockwell Automation Arena Simulation software could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2024-3493

A specific malformed fragmented packet type (fragmented packets may be generated automatically by devices that send large amounts of data) can cause a major nonrecoverable fault (MNRF) Rockwell Automation's ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product will become unavailable and require a manual restart to recover it. Additionally, an MNRF could result in a loss of view and/or control of connected devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
rockwellautomation compactlogix_5380_firmware 35.011
rockwellautomation 1756-en4tr_firmware 5.001
rockwellautomation compactlogix_5380_process_firmware 35.011
rockwellautomation compact_guardlogix_5380_firmware 35.011
rockwellautomation controllogix_5580_firmware 35.011
rockwellautomation guardlogix_5580_firmware 35.011
rockwellautomation controllogix_5580_process_firmware 35.011
rockwellautomation compactlogix_5480_firmware 35.011
CVE-2024-37365

A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.3 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view 14.0
CVE-2024-37367

A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE v12. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication verification.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2024-37368

A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2024-37369

A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2024-40619

CVE-2024-40619 IMPACT A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5580_firmware 34.011
rockwellautomation controllogix_5580_firmware 34.011
CVE-2024-40620

CVE-2024-40620 IMPACT A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

Products Affected

Vendor Product Version
rockwellautomation pavilion8 5.20.00
CVE-2024-45824

CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2024-4609

A vulnerability exists in the Rockwell Automation FactoryTalk® View SE Datalog function that could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. If exploited, the attack could result in information exposure, revealing sensitive information. Additionally, a threat actor could potentially modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2024-5659

Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault(MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port. If exploited, the availability of the device would be compromised.

Products Affected

Vendor Product Version
rockwellautomation compactlogix_5380_firmware 34.011
rockwellautomation guardlogix_5580_firmware 34.011
rockwellautomation compactlogix_5480_firmware 34.011
rockwellautomation compact_guardlogix_5380_firmware 34.011
rockwellautomation 1756-en4_firmware 4.001
rockwellautomation controllogix_5580_firmware 34.011
CVE-2024-5988

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinserver *
CVE-2024-5989

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinserver *
CVE-2024-5990

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within Rockwell Automation ThinServer™ and cause a denial-of-service condition on the affected device.

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
rockwellautomation thinserver *
CVE-2024-6089

An input validation vulnerability exists in the Rockwell Automation 5015 - AENFTXT when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product.

Products Affected

Vendor Product Version
rockwellautomation 5015-aenftxt_firmware 2.011
CVE-2024-6207

CVE 2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html  and send a specially crafted CIP message to the device. If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation. To recover the controllers, a download is required which ends any process that the controller is running.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5580_firmware *
rockwellautomation factorytalk_logix_echo_firmware *
rockwellautomation compact_guardlogix_5380_sil_3_firmware *
rockwellautomation controllogix_5580_process_firmware *
rockwellautomation controllogix_5580_firmware *
rockwellautomation compact_guardlogix_5380_sil_2_firmware *
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compactlogix_5380_firmware *
CVE-2024-6325

The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html  and CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html  by implementing CIP security and did not update to the versions of the software CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html  and CVE-2022-1161. https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html

Products Affected

Vendor Product Version
rockwellautomation factorytalk_policy_manager 6.40.0
CVE-2024-6326

An exposure of sensitive information vulnerability exists in the Rockwell Automation FactoryTalk® System Service. A malicious user could exploit this vulnerability by starting a back-up or restore process, which temporarily exposes private keys, passwords, pre-shared keys, and database folders when they are temporarily copied to an interim folder. This vulnerability is due to the lack of explicit permissions set on the backup folder. If private keys are obtained by a malicious user, they could impersonate resources on the secured network.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_policy_manager 6.40.0
rockwellautomation factorytalk_system_services 6.40.0
CVE-2024-6435

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.

Products Affected

Vendor Product Version
rockwellautomation pavilion8 5.17.01
rockwellautomation pavilion8 5.15.00
rockwellautomation pavilion8 5.17.00
rockwellautomation pavilion8 5.15.01
rockwellautomation pavilion8 5.20.00
rockwellautomation pavilion8 5.16.00
CVE-2024-6436

An input validation vulnerability exists in the Rockwell Automation Sequence Manager™ which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.

Products Affected

Vendor Product Version
rockwellautomation sequencemanager *
CVE-2024-7507

CVE-2024-7507 IMPACT A denial-of-service vulnerability exists in the affected products. This vulnerability occurs when a malformed PCCC message is received, causing a fault in the controller.

Products Affected

Vendor Product Version
rockwellautomation compactlogix_5380_firmware 35.011
rockwellautomation compact_guardlogix_5380_sil_2_firmware 35.011
rockwellautomation guardlogix_5580_firmware *
rockwellautomation compact_guardlogix_5380_sil_3_firmware *
rockwellautomation compact_guardlogix_5380_sil_3_firmware 35.011
rockwellautomation controllogix_5580_firmware *
rockwellautomation compact_guardlogix_5380_sil_2_firmware *
rockwellautomation controllogix_5580_firmware 35.011
rockwellautomation guardlogix_5580_firmware 35.011
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compactlogix_5480_firmware 35.011
rockwellautomation compactlogix_5380_firmware *
CVE-2024-7513

CVE-2024-7513 IMPACT A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2024-7515

CVE-2024-7515 IMPACT A denial-of-service vulnerability exists in the affected products. A malformed PTP management packet can cause a major nonrecoverable fault in the controller.

Products Affected

Vendor Product Version
rockwellautomation compactlogix_5380_firmware 35.011
rockwellautomation compact_guardlogix_5380_sil_2_firmware 35.011
rockwellautomation guardlogix_5580_firmware *
rockwellautomation compact_guardlogix_5380_sil_3_firmware *
rockwellautomation compact_guardlogix_5380_sil_3_firmware 35.011
rockwellautomation controllogix_5580_firmware *
rockwellautomation compact_guardlogix_5380_sil_2_firmware *
rockwellautomation controllogix_5580_firmware 35.011
rockwellautomation guardlogix_5580_firmware 35.011
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compactlogix_5480_firmware 35.011
rockwellautomation compactlogix_5380_firmware *
CVE-2024-7847

VULNERABILITY DETAILS Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
PSIRT@rockwellautomation.com 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
rockwellautomation rslogix_micro_developer -
rockwellautomation rslogix_500 -
rockwellautomation rslogix_5 -
rockwellautomation rslogix_micro_starter_lite -
CVE-2024-7986

A vulnerability exists in the Rockwell Automation ThinManager® ThinServer that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
CVE-2024-7987

A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

Products Affected

Vendor Product Version
rockwellautomation thinmanager_thinserver *
CVE-2024-7988

A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
rockwellautomation thinmanager_thinserver *
CVE-2024-8626

Due to a memory leak, a denial-of-service vulnerability exists in the Rockwell Automation affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover.

Products Affected

Vendor Product Version
rockwellautomation guardlogix_5580_firmware *
rockwellautomation 1756-en4tr_firmware 3.002
rockwellautomation controllogix_5580_firmware *
rockwellautomation compactlogix_5480_firmware *
rockwellautomation compact_guardlogix_5380_firmware *
rockwellautomation compactlogix_5380_firmware *
CVE-2024-9124

A denial-of-service vulnerability exists in the Rockwell Automation PowerFlex® 600T. If the device is overloaded with requests, it will become unavailable. The device may require a power cycle to recover it if it does not re-establish a connection after it stops receiving requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 0.0 NONE CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N 3.9 0.0

Products Affected

Vendor Product Version
rockwellautomation powerflex_6000t_firmware 9.001
rockwellautomation powerflex_6000t_firmware 8.001
rockwellautomation powerflex_6000t_firmware 8.002
CVE-2025-0477

An encryption vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2025-0497

A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2025-0498

A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_assetcentre *
CVE-2025-11918

Rockwell Automation Arena® suffers from a stack-based buffer overflow vulnerability. The specific flaw exists within the parsing of DOE files. Local attackers are able to exploit this issue to potentially execute arbitrary code on affected installations of Arena®. Exploiting the vulnerability requires opening a malicious DOE file.

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-2285

A local code execution vulnerability exists in the Rockwell Automation Arena®  due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-2286

A local code execution vulnerability exists in the Rockwell Automation Arena®  due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-2287

A local code execution vulnerability exists in the Rockwell Automation Arena®  due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-2288

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-2293

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-2829

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-3285

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-3286

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-3287

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-3288

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-3289

A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-3617

A privilege escalation vulnerability exists in the Rockwell Automation ThinManager. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
CVE-2025-3618

A denial-of-service vulnerability exists in the Rockwell Automation ThinManager. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial-of-service on the target software.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
CVE-2025-6376

A remote code execution security issue exists in the Rockwell Automation Arena®.  A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-6377

A remote code execution security issue exists in the Rockwell Automation Arena®.  A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-7025

A memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-7032

A memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-7033

A memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation arena *
CVE-2025-7328

Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore.

Products Affected

Vendor Product Version
rockwellautomation 1783-natr_firmware *
CVE-2025-7329

A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation requires an attacker to be able to update configuration fields behind admin login.

Products Affected

Vendor Product Version
rockwellautomation 1783-natr_firmware *
CVE-2025-7330

A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link.

Products Affected

Vendor Product Version
rockwellautomation 1783-natr_firmware *
CVE-2025-7970

A security issue exists within FactoryTalk Activation Manager. An error in the implementation of cryptography within the software could allow attackers to decrypt traffic. This could result in data exposure, session hijacking, or full communication compromise.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation factorytalk_activation_manager *
CVE-2025-7972

A security issue exists within the FactoryTalk Linx Network Browser. By modifying the process.env.NODE_ENV to ‘development’, the attacker can disable FTSP token validation. This bypass allows access to create, update, and delete FTLinx drivers.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2025-8007

A security issue exists in the protected mode of 1756-EN4TR and 1756-EN2TR communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault. This condition may lead to unexpected system crashes and loss of device availability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
rockwellautomation 1756-en2tr_series_c_firmware *
rockwellautomation 1756-en2tr_series_b_firmware *
rockwellautomation 1756-en2tr_series_a_firmware *
rockwellautomation 1756-en4trxt_firmware *
rockwellautomation 1756-en4tr_firmware *
CVE-2025-8008

A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
rockwellautomation 1756-en2tr_series_c_firmware *
rockwellautomation 1756-en2tr_series_b_firmware *
rockwellautomation 1756-en2tr_series_a_firmware *
rockwellautomation 1756-en4trxt_firmware *
rockwellautomation 1756-en4tr_firmware *
CVE-2025-9063

An authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView Plus 7 Series B, including access to the file system, retrieval of diagnostic information, event logs, and more.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2025-9064

A path traversal security issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file within the panels operating system. Exploitation of this vulnerability is dependent on the knowledge of filenames to be deleted.

Products Affected

Vendor Product Version
rockwellautomation factorytalk_view *
CVE-2025-9065

A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
rockwellautomation thinmanager *
CVE-2025-9067

A security issue exists within the x86 Microsoft Installer File (MSI), installed with FTLinx. Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting console window. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2025-9068

A security issue exists within the Rockwell Automation Driver Package x64 Microsoft Installer File (MSI) repair functionality, installed with FTLinx. Authenticated attackers with valid Windows Users credentials can initiate a repair and hijack the resulting console window for vbpinstall.exe. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_linx *
CVE-2025-9161

A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_optix *
CVE-2025-9166

A denial-of-service security issue exists in the affected product and version. The security issue stems from the controller repeatedly attempting to forward messages. The issue could result in a major nonrecoverable fault on the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
rockwellautomation controllogix_5580_firmware 35.013
CVE-2025-9278

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9279

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9280

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9281

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9282

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9283

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9364

An open database issue exists in the affected product and version. The security issue stems from an over permissive Redis instance. This could result in an attacker on the intranet accessing sensitive data and potential alteration of data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
rockwellautomation factorytalk_analytics_logixai 3.00.00
rockwellautomation factorytalk_analytics_logixai 3.01.00
CVE-2025-9464

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9465

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *
CVE-2025-9466

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

Products Affected

Vendor Product Version
rockwellautomation armorstart_lt_firmware *