cbcvebase.
CVE-2022-1161
published 2022-04-11

CVE-2022-1161: An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.01%
91.2th percentile
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.

Affected

18 ranges
VendorProductVersion rangeFixed in
rockwell_automation1768_compactlogix_controllers
rockwell_automation1769_compactlogix_controllers
rockwell_automationcompact_guardlogix_5370_controllers
rockwell_automationcompact_guardlogix_5380_controllers
rockwell_automationcompactlogix_5370_controllers
rockwell_automationcompactlogix_5380_controllers
rockwell_automationcompactlogix_5480_controllers
rockwell_automationcontrollogix_5550_controllers
rockwell_automationcontrollogix_5560_controllers
rockwell_automationcontrollogix_5570_controllers
rockwell_automationcontrollogix_5580_controllers
rockwell_automationdrivelogix_5730_controllers
rockwell_automationflexlogix_1794-l34_controllers
rockwell_automationguardlogix_5560_controllers
rockwell_automationguardlogix_5570_controllers
rockwell_automationguardlogix_5580_controllers
rockwell_automationsoftlogix_5800_controllers
rockwellautomationfactorytalk_policy_manager

Detection & IOCsextracted from sources · hover to see the quote

  • Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code — monitor for discrepancies between the human-readable program and the compiled/executed code on the controller, which is the core indicator of exploitation.
  • Monitor the controller change log for unexpected modifications or anomalous activity as a detection mechanism for unauthorized program changes.
  • Use FactoryTalk AssetCenter software to detect unauthorized changes to controller programs.
  • ·No known public exploits specifically target this vulnerability at time of advisory publication.
  • ·The vulnerability has a CVSS v3 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), meaning it is exploitable remotely with no authentication or user interaction required.
  • ·Exploitation requires an attacker to already have the ability to modify a user program on the affected controller — network access to the controller is the prerequisite.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.