cbcvebase.
CVE-2020-12001
published 2020-06-15

CVE-2020-12001: FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
11.50%
95.5th percentile
FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify or expose sensitive data or execute arbitrary code.

Affected

4 ranges
VendorProductVersion rangeFixed in
rockwellautomationfactorytalk_linx
rockwellautomationfactorytalk_linx
rockwellautomationfactorytalk_linx
rockwellautomationrslinx_classic<= 4.11.00

Detection & IOCsextracted from sources · hover to see the quote

portTCP/2222
portTCP/7153
portUDP/44818
  • Monitor for path traversal patterns in files submitted to FactoryTalk Linx parsing mechanisms; the vulnerability allows directory traversal via specially crafted file types processed without input sanitation.
  • Alert on EDS file uploads to FactoryTalk Linx that contain malformed or high-compression-ratio content, which may indicate a denial-of-service attempt (CVE-2020-12005) or a file-type abuse attempt related to the same attack surface.
  • Detect network traffic to/from FactoryTalk Linx on TCP 2222, TCP 7153, and UDP 44818 originating from outside the manufacturing zone as a strong indicator of exploitation attempts against CVE-2020-12001 and related CVEs.
  • Monitor for exposed API calls accepting unsanitized file paths or filenames on FactoryTalk Linx; exploitation of CVE-2020-11999 (related) involves specifying a filename to execute unauthorized code.
  • ·CVE-2020-12001 affects only specific versions of FactoryTalk Linx (6.00, 6.10, 6.11) and downstream products; detections should be scoped to these versions to reduce false positives.
  • ·No known public exploits exist for these vulnerabilities at time of advisory publication; detections are preventive rather than reactive to observed in-the-wild exploitation.
  • ·RSLinx Classic v4.11.00 and prior was initially in scope but was later removed from the advisory scope in Update A; adjust asset inventory and detection scope accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.