cbcvebase.
CVE-2020-12028
published 2020-07-20

CVE-2020-12028: In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote…

PriorityP270high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
51.02%
98.8th percentile
In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.

Affected

1 ranges
VendorProductVersion rangeFixed in
rockwell_automationfactorytalk_view_se

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2020-12028 involves authenticated attackers abusing handlers that do not enforce appropriate permissions on FactoryTalk View SE remote endpoints; monitor for unusual handler interactions from authenticated sessions on FactoryTalk View SE
  • CVE-2020-12028 is chained with other vulnerabilities (CVE-2020-12027 info leak, CVE-2020-12029 directory traversal/RCE, CVE-2020-12031 memory corruption) in a full unauthenticated RCE exploit chain against FactoryTalk View SE; detection should consider multi-stage exploitation patterns across these CVEs
  • The exploit chain targets FactoryTalk View SE running under IIS; monitor IIS process (w3wp.exe) for anomalous child process spawning or unexpected code execution on SCADA systems
  • CVE-2020-12027 (information disclosure, chained with CVE-2020-12028) leaks hostnames and file paths; monitor for authenticated requests that return system path or hostname data from FactoryTalk View SE handlers
  • ·All versions of FactoryTalk View SE are affected by CVE-2020-12028; there is no version-specific scope — any deployment is in scope for detection
  • ·At time of CISA advisory publication, no known public exploits specifically targeted CVE-2020-12028 in isolation, though a chained Metasploit module exists for the broader exploit chain
  • ·Mitigation for CVE-2020-12028 is configuration-based (IPSec/HTTPS), not a patch; detection posture should account for environments where these network controls may not be enforced

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.