cbcvebase.
CVE-2020-12029
published 2020-07-20

CVE-2020-12029: All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to…

PriorityP265high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
44.98%
98.6th percentile
All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.

Affected

1 ranges
VendorProductVersion rangeFixed in
rockwell_automationfactorytalk_view_se

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/scada/rockwell_factorytalk_rce.rb
  • The exploit chains five vulnerabilities: unauthenticated project copy request, directory traversal, race condition, and two information leak vulnerabilities — monitor for unauthenticated project copy requests to FactoryTalk View SE endpoints.
  • The exploit achieves code execution as the IIS user — monitor for anomalous process spawning from IIS worker processes (w3wp.exe) on FactoryTalk View SE hosts.
  • The vulnerability involves improper validation of filenames within a project directory — monitor for directory traversal sequences (e.g., '../') in filenames submitted to FactoryTalk View SE project directory handlers.
  • CVE-2020-12027 (information disclosure) exposes hostnames and file paths — monitor for unauthenticated or low-privilege requests to handlers that return system path or hostname data, which may indicate pre-exploitation reconnaissance chained with CVE-2020-12029.
  • CVE-2020-12028 involves handlers that do not enforce appropriate permissions — monitor for remote authenticated access to privileged data handlers on FactoryTalk View SE without proper authorization checks.
  • ·Patch 1126289 for CVE-2020-12029 requires the patch rollup dated 06 Apr 2020 or later (1066644 – Patch Roll-up for CPR9 SRx) to be installed first — applying the patch without the prerequisite rollup may leave the system vulnerable.
  • ·All versions of FactoryTalk View SE are affected — there is no unaffected version to fall back to without patching.
  • ·For CVE-2020-12028 and CVE-2020-12027, Rockwell recommends enabling IPSec and/or HTTPS per knowledge base articles 109056 and 1126943 as mitigations — these are network-level controls, not code fixes.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.