cbcvebase.
CVE-2020-6967
published 2020-03-23

CVE-2020-6967: In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.36%
91.6th percentile
In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.

Detection & IOCsextracted from sources · hover to see the quote

processRNADiagnosticsSrv.exe
porttcp/8082
  • Monitor for inbound TCP connections to port 8082 on hosts running RNADiagnosticsSrv.exe; unexpected remote connections (non-localhost) to this port indicate exploitation attempts of the insecure .NET Remoting deserialization endpoint.
  • Alert on RNADiagnosticsSrv.exe spawning unexpected child processes, which would indicate successful deserialization-based remote code execution resulting in SYSTEM-level process creation.
  • ·Patched versions restrict the .NET Remoting endpoint to localhost only; if tcp/8082 is still accessible remotely after patching, the mitigation has not been correctly applied.
  • ·Patch BF24822 is the specific fix for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, and 6.11; absence of this patch on those versions leaves tcp/8082 remotely exploitable.
  • ·For FactoryTalk Services Platform 6.31, enabling WCF avoids the vulnerable .NET Remoting code path entirely; if .NET Remoting remains the active transport, the system is still at risk even on 6.31.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.