Latest Vulnerabilities #
Rockwell Automation has disclosed multiple vulnerabilities in their FactoryTalk ThinManager product.
CVE-2024-10386 is rated critical, with a CVSS v4 score of 9.3 and allows attackers with network access to send specially crafted packets that result in database manipulation.
CVE-2024-10387 is rated high, with CVSS v4 score of 8.7 and allows attackers with network access to send specially crafted packets to the device potentially triggering a denial-of-service.
The following versions are currently affected by these vulnerabilities:
- ThinManager: Versions 11.2.0 to 11.2.9
- ThinManager: Versions 12.0.0 to 12.0.7
- ThinManager: Versions 12.1.0 to 12.1.8
- ThinManager: Versions 13.0.0 to 13.0.5
- ThinManager: Versions 13.1.0 to 13.1.3
- ThinManager: Versions 13.2.0 to 13.2.2
- ThinManager: Version 14.0.0
Are updates or workarounds available? #
Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible. In addition, users are advised to limit communications to TCP 2031 to only the devices that need connection to the ThinManager.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:"Rockwell Automation" AND tcp:2031CVE-2024-6077 (September 2024) #
Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
CVE-2024-6077 is rated high, with a CVSS v4 score of 8.7.
Are updates or workarounds available? #
Rockwell Automation has released patches and guidance for affected systems. Users are advised to upgrade as quickly as possible. Users may also disable CIP security on these devices to mitigate the issue.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")CVE-2024-40619 (August 2024) #
Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
CVE-2024-40619 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed CIP packet which causes a device to crash and require a manual restart.
Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
ControlLogix 5580 | v34.011 | v34.014+ |
GuardLogix 5580 | v34.011 | v34.014+ |
Are updates or workarounds available? #
Rockwell Automation suggests updating devices to the corrected firmware revision.
- CVE-2024-7515 is rated high with CVSS score of 8.6 and indicates a denial-of-service scenario due to a malformed PTP management packet which causes a device to crash and require a manual restart.
- CVE-2024-7507 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed PCCC packet which causes a device to crash and require a manual restart.
Rockwell Automation suggests updating devices to the corrected firmware revision. Additionally, they recommend restricting communication to CIP object 103 (0x67).
Affected Product | Firmware Revision Prior To | Corrected in Firmware Revision |
CompactLogix 5380 (5069 - L3z) | v36.011, v35.013, v34.014 | v36.011, v35.013, v34.014 |
CompactLogix 5480 (5069 - L4) | v36.011, v35.013, v34.014 | v36.011, v35.013, v34.014 |
ControlLogix 5580 (1756 - L8z) | v36.011, v35.013, v34.014 | v36.011, v35.013, v34.014 |
GuardLogix 5580 (1756 - L8z) | v36.011, v35.013, v34.014 | v36.011, v35.013, v34.014 |
Compact GuardLogix 5380 (5069 - L3zS2) | v36.011, v35.013, v34.014 | v36.011, v35.013, v34.014 |
In all of the cases above users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")CVE-2024-6242 (August 2024) #
On August 1st, 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules products.
CVE-2024-6242 is rated high with CVSS score of 7.3 and allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller.
Successful exploitation of these vulnerabilities on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.
Are updates or workarounds available? #
Rockwell Automation recommends upgrade devices to apply fixes for the affected devices.
Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
ControlLogix® 5580 (1756-L8z) | V28 | V32.016, V33.015, V34.014,
|
GuardLogix® 5580 (1756-L8zS) | V31 | V32.016, V33.015, V34.014, |
1756-EN4TR | V2 | V5.001 and later |
1756-EN2T , Series A/B/C 1756-EN2F, Series A/B 1756-EN2TR, Series A/B 1756-EN3TR, Series B | v5.007(unsigned) / v5.027(signed) | No fix is available for Series A/B/C. Users can upgrade to Series D to remediate this vulnerability |
1756-EN2T, Series D 1756-EN2F, Series C 1756-EN2TR, Series C 1756-EN3TR, Series B 1756-EN2TP, Series A | 1756-EN2T/D: V10.006 1756-EN2F/C: V10.009 1756-EN2TR/C: V10.007 1756-EN3TR/B: V10.007 1756-EN2TP/A: V10.020 | V12.001 and later |
Additionally, limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.
How runZero users found potentially vulnerable systems #
From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:
hw:"1756-EN2" OR hw:"1756-EN3" OR hw:"1756-EN4"CVE-2024-3493 (April 2024) #
In April 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.
CVE-2024-3493 was rated high with CVSS score of 8.6 and involved a specific malformed fragmented packet type which could cause a major nonrecoverable fault (MNRF) in Rockwell Automation's ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product would become unavailable and require a manual restart to recover it.
What was the impact? #
Successful exploitation of these vulnerabilities resulted in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
Rockwell Automation provided software updates for the impacted versions.
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| ControlLogix® 5580 | V35.011 | V35.013, V36.011 |
| GuardLogix 5580 | V35.011 | V35.013, V36.011 |
| CompactLogix 5380 | V35.011 | V35.013, V36.011 |
| 1756-EN4TR | V5.001 | V6.001 |
How runZero users found potentially vulnerable systems #
From the Asset Inventory, runZero users could use the following query to locate systems running potentially vulnerable software:
hw:"1756-EN4TR"Rockwell Automation PowerFlex 527 vulnerabilities (March 2024) #
In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.
CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.
CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.
What was the impact? #
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
Are updates or workarounds available? #
Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.
Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.
How to find potentially vulnerable PowerFlex products #
From the Asset Inventory, runZero users used the following query to locate systems running potentially vulnerable software:
hw.product:"powerflex"
