CVE-2023-2071
published 2023-09-12CVE-2023-2071: Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.97%
95.3th percentile
Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | fa | — | — |
| rockwellautomation | factorytalk_view | <= 13.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker uses a CIP class to upload a self-made/arbitrary DLL library to the PanelView Plus device, bypassing the allowlist check restricted to two specific DLL files, enabling unauthenticated RCE. ↗
- →Exploitation is delivered via crafted malicious packets over the network (no authentication required, no user interaction), targeting the CIP class functionality that executes exported functions from DLL libraries on FactoryTalk View ME / PanelView Plus. ↗
- →The vulnerable execution path involves a CIP class that calls exported functions from dynamic link library files; monitor for unexpected DLL uploads or CIP class interactions on PanelView Plus devices. ↗
- →Rockwell Automation has published detection rules for this CVE; consult Rockwell Automation's Security Advisory for vendor-supplied detection content. ↗
- ·No known public exploitation specifically targeting this vulnerability had been reported to CISA at time of advisory publication (September 21, 2023). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5cg3-92mh-qgvc: Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to
ghsa_unreviewed·2023-09-12
CVE-2023-2071 [CRITICAL] CWE-20 GHSA-5cg3-92mh-qgvc: Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to
Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.
CISA ICS
Rockwell Automation FactoryTalk View Machine Edition
cisa_ics·2023-09-21·CVSS 9.8
[CRITICAL] Rockwell Automation FactoryTalk View Machine Edition
ICS Advisory
##
Rockwell Automation FactoryTalk View Machine Edition
Release DateSeptember 21, 2023
Alert CodeICSA-23-264-06
## View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: FactoryTalk View Machine Edition
- Vulnerability: Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute code remotely with specially crafted malicious packets or by using a self-made library to bypass security checks.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Rockwell Automation products are affected:
- FactoryTalk View Machine Edition: v13.0
- FactoryTalk View Machine Edition: v12.0 and
No detection rules found.
No public exploits indexed.
2023-09-12
Published