CVE-2020-12028
published 2020-07-20CVE-2020-12028: In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote…
PriorityP270high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
51.02%
98.8th percentile
In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | factorytalk_view_se | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2020-12028 involves authenticated attackers abusing handlers that do not enforce appropriate permissions on FactoryTalk View SE remote endpoints; monitor for unusual handler interactions from authenticated sessions on FactoryTalk View SE ↗
- →CVE-2020-12028 is chained with other vulnerabilities (CVE-2020-12027 info leak, CVE-2020-12029 directory traversal/RCE, CVE-2020-12031 memory corruption) in a full unauthenticated RCE exploit chain against FactoryTalk View SE; detection should consider multi-stage exploitation patterns across these CVEs ↗
- →The exploit chain targets FactoryTalk View SE running under IIS; monitor IIS process (w3wp.exe) for anomalous child process spawning or unexpected code execution on SCADA systems ↗
- →CVE-2020-12027 (information disclosure, chained with CVE-2020-12028) leaks hostnames and file paths; monitor for authenticated requests that return system path or hostname data from FactoryTalk View SE handlers ↗
- ·All versions of FactoryTalk View SE are affected by CVE-2020-12028; there is no version-specific scope — any deployment is in scope for detection ↗
- ·At time of CISA advisory publication, no known public exploits specifically targeted CVE-2020-12028 in isolation, though a chained Metasploit module exists for the broader exploit chain ↗
- ·Mitigation for CVE-2020-12028 is configuration-based (IPSec/HTTPS), not a patch; detection posture should account for environments where these network controls may not be enforced ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation FactoryTalk View SE
cisa_ics·2020-06-18·CVSS 9.0
[CRITICAL] Rockwell Automation FactoryTalk View SE
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation FactoryTalk View SE
Last RevisedJune 18, 2020
Alert CodeICSA-20-170-05
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rockwell Automation
- Equipment: FactoryTalk View SE
- Vulnerabilities: Improper Input Validation, Improper Restriction of Operations Within The Bounds of a Memory Buffer, Permissions, Privileges, and Access Controls, Exposure of Sensitive Information to an Unauthorized Actor
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow a remote authenticate
GHSA
GHSA-524h-35w7-86xp: In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the rem
ghsa_unreviewed·2022-05-24
CVE-2020-12028 [MEDIUM] CWE-306 GHSA-524h-35w7-86xp: In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the rem
In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.htmlhttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.htmlhttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05
2020-07-20
Published