CVE-2021-27460 – CVE-2021-27460 is a critical deserialization vu... (How to Fix)

Q: What is the severity of CVE-2021-27460?

CVE-2021-27460 has a CVSS score of 10.0 (CRITICAL). CVE-2021-27460 is a critical deserialization vulnerability in Rockwell Automation FactoryTalk AssetCentre that allows remote unauthenticated attackers to execute arbitrary code. This gives attackers full control over the main server and all connected agent machines. All organizations using FactoryTalk AssetCentre v10.00 and earlier are affected.

📋 TL;DR

CVE-2021-27460 is a critical deserialization vulnerability in Rockwell Automation FactoryTalk AssetCentre that allows remote unauthenticated attackers to execute arbitrary code. This gives attackers full control over the main server and all connected agent machines. All organizations using FactoryTalk AssetCentre v10.00 and earlier are affected.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk AssetCentre

Versions: v10.00 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all components using .NET remoting endpoints. Agent machines are also vulnerable through the main server compromise.

📦 What is this software?

Factorytalk Assetcentre by Rockwellautomation

View all CVEs affecting Factorytalk Assetcentre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems, allowing attackers to disrupt operations, steal sensitive data, manipulate industrial processes, and potentially cause physical damage or safety incidents.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data exfiltration, lateral movement through industrial networks, and persistent backdoor installation.

🟢

If Mitigated

Limited impact if network segmentation isolates vulnerable systems, but still significant risk due to unauthenticated remote exploitation.

🌐 Internet-Facing: HIGH - Directly exploitable from internet if exposed, with CVSS 10.0 indicating maximum severity.

🏢 Internal Only: HIGH - Even internally, any network-accessible instance can be exploited by attackers who gain internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities are commonly exploited with publicly available tools. The CVSS 10.0 score indicates trivial exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk AssetCentre v10.01 and later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130831

Restart Required: Yes

Instructions:

1. Download FactoryTalk AssetCentre v10.01 or later from Rockwell Automation support portal. 2. Backup current configuration and databases. 3. Install the update following vendor documentation. 4. Restart all FactoryTalk AssetCentre services and servers.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

windows

Block all unnecessary network access to FactoryTalk AssetCentre servers, especially from untrusted networks.

netsh advfirewall firewall add rule name="Block FactoryTalk Ports" dir=in action=block protocol=TCP localport=135,139,445,3389,49152-65535 remoteip=any

Disable .NET Remoting Endpoints

windows

Configure FactoryTalk AssetCentre to disable vulnerable .NET remoting endpoints if not required.

Modify FactoryTalk AssetCentre configuration files to remove or secure remoting endpoints as per vendor guidance

🧯 If You Can't Patch

Implement strict network segmentation to isolate FactoryTalk AssetCentre servers from other systems and the internet
Deploy application control solutions to prevent unauthorized code execution and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk AssetCentre version in Control Panel > Programs and Features. Versions 10.00 and earlier are vulnerable.

Check Version:

wmic product where name="FactoryTalk AssetCentre" get version

Verify Fix Applied:

Verify version is 10.01 or later and check that .NET remoting endpoints are properly secured or disabled.

📡 Detection & Monitoring

Log Indicators:

Unusual .NET remoting activity in Windows Event Logs
Unexpected process creation from FactoryTalk services
Failed authentication attempts followed by successful remoting connections

Network Indicators:

Unusual network connections to FactoryTalk servers on remoting ports
Suspicious serialized data payloads in network traffic

SIEM Query:

source="windows" AND (event_id=4688 OR event_id=4625) AND process_name="*FactoryTalk*" AND dest_port IN (135,139,445,3389,49152-65535)

📊 Metadata

CVE ID: CVE-2021-27460

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

CWE: CWE-502

Published: March 23, 2022

Last Updated: November 21, 2024

🔗 References

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Third Party Advisory,US Government Resource
https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27460, you might also want to check these: