cbcvebase.
CVE-2023-2071
published 2023-09-12

CVE-2023-2071: Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.97%
95.3th percentile
Rockwell Automation FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

Affected

2 ranges
VendorProductVersion rangeFixed in
rockwell_automationfa
rockwellautomationfactorytalk_view<= 13.0

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker uses a CIP class to upload a self-made/arbitrary DLL library to the PanelView Plus device, bypassing the allowlist check restricted to two specific DLL files, enabling unauthenticated RCE.
  • Exploitation is delivered via crafted malicious packets over the network (no authentication required, no user interaction), targeting the CIP class functionality that executes exported functions from DLL libraries on FactoryTalk View ME / PanelView Plus.
  • The vulnerable execution path involves a CIP class that calls exported functions from dynamic link library files; monitor for unexpected DLL uploads or CIP class interactions on PanelView Plus devices.
  • Rockwell Automation has published detection rules for this CVE; consult Rockwell Automation's Security Advisory for vendor-supplied detection content.
  • ·No known public exploitation specifically targeting this vulnerability had been reported to CISA at time of advisory publication (September 21, 2023).
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.