CVE-2020-14481 – CVE-2020-14481 is a vulnerability in Rockwell A... (How to Fix)

Q: What is the severity of CVE-2020-14481?

CVE-2020-14481 has a CVSS score of 7.8 (HIGH). CVE-2020-14481 is a vulnerability in Rockwell Automation's FactoryTalk View SE DeskLock tool that uses weak encryption for stored credentials. This allows authenticated local attackers to decrypt Windows user and DeskLock passwords, potentially leading to privilege escalation. Organizations using FactoryTalk View SE with DeskLock are affected.

📋 TL;DR

CVE-2020-14481 is a vulnerability in Rockwell Automation's FactoryTalk View SE DeskLock tool that uses weak encryption for stored credentials. This allows authenticated local attackers to decrypt Windows user and DeskLock passwords, potentially leading to privilege escalation. Organizations using FactoryTalk View SE with DeskLock are affected.

💻 Affected Systems

Products:

FactoryTalk View SE

Versions: All versions prior to v11.0.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the DeskLock tool component of FactoryTalk View SE.

📦 What is this software?

Factorytalk View by Rockwellautomation

View all CVEs affecting Factorytalk View →

Factorytalk View by Rockwellautomation

View all CVEs affecting Factorytalk View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains administrative access to the operating system and FactoryTalk View SE components, enabling complete system compromise, data theft, and potential disruption of industrial operations.

🟠

Likely Case

Local authenticated users decrypt credentials of other users, gaining unauthorized access to systems and potentially escalating privileges within the FactoryTalk View SE environment.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to credential exposure without successful privilege escalation or lateral movement.

🌐 Internet-Facing: LOW - This requires local authenticated access, making internet-facing exploitation unlikely unless combined with other vulnerabilities.

🏢 Internal Only: HIGH - This is an internal threat where authenticated users can exploit weak encryption to gain elevated privileges within the industrial control system environment.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local authenticated access and knowledge of the weak encryption algorithm used by DeskLock.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk View SE v11.0.1 and later

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1657.html

Restart Required: Yes

Instructions:

1. Download FactoryTalk View SE v11.0.1 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart affected systems. 5. Verify installation and functionality.

🔧 Temporary Workarounds

Disable DeskLock Tool

windows

Remove or disable the DeskLock tool if not required for operations

Consult Rockwell Automation documentation for DeskLock removal procedures

Implement Least Privilege

windows

Restrict local administrative privileges to minimize impact if credentials are compromised

Use Windows Group Policy to enforce least privilege access controls

🧯 If You Can't Patch

Implement strict access controls and monitoring for local authenticated users
Regularly rotate Windows and DeskLock passwords to limit exposure window

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk View SE version. If using DeskLock and version is below v11.0.1, the system is vulnerable.

Check Version:

Check FactoryTalk View SE About dialog or consult Rockwell Automation documentation for version verification

Verify Fix Applied:

Verify FactoryTalk View SE version is v11.0.1 or later and confirm DeskLock encryption has been updated.

📡 Detection & Monitoring

Log Indicators:

Unusual local authentication attempts
Multiple failed DeskLock password attempts
Unexpected privilege escalation events

Network Indicators:

Unusual local network traffic from FactoryTalk systems
Unexpected remote access to FactoryTalk components

SIEM Query:

source="FactoryTalk" AND (event_type="authentication_failure" OR event_type="privilege_escalation")

📊 Metadata

CVE ID: CVE-2020-14481

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-261

Published: February 24, 2022

Last Updated: April 17, 2025

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03 Mitigation,Third Party Advisory,US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14481, you might also want to check these: