CVE-2021-43935
📋 TL;DR
This vulnerability allows attackers to bypass authentication in affected products configured for Single Sign-On (SSO). By manually entering any Active Directory account provisioned in the application without providing a password, attackers gain full access with that account's privileges. Organizations using these products with SSO enabled are affected.
💻 Affected Systems
- Rockwell Automation FactoryTalk View SE
📦 What is this software?
Welch Allyn Diagnostic Cardiology Suite by Baxter
View all CVEs affecting Welch Allyn Diagnostic Cardiology Suite →
Welch Allyn Hscribe Holter Analysis System Firmware by Baxter
View all CVEs affecting Welch Allyn Hscribe Holter Analysis System Firmware →
Welch Allyn Q Stress Cardiac Stress Testing System Firmware by Baxter
View all CVEs affecting Welch Allyn Q Stress Cardiac Stress Testing System Firmware →
Welch Allyn Rscribe Resting Ecg System by Baxter
View all CVEs affecting Welch Allyn Rscribe Resting Ecg System →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the application by any attacker who can reach it, leading to data theft, system takeover, and lateral movement within the network.
Likely Case
Unauthorized access to sensitive application data and functionality by internal or external attackers who discover the vulnerability.
If Mitigated
Limited impact if SSO is disabled or proper network segmentation prevents access to vulnerable systems.
🎯 Exploit Status
Exploitation requires no special tools or knowledge - just manual entry of AD account names in the application interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk View SE v11.0
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1657.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View SE v11.0 from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart the system.
🔧 Temporary Workarounds
Disable SSO Authentication
windowsSwitch to alternative authentication methods until patching is possible
Configure application to use local authentication or other non-SSO methods per vendor documentation
Network Segmentation
allRestrict access to vulnerable systems to only trusted networks
Configure firewall rules to limit access to FactoryTalk View SE systems
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the vulnerable systems
- Monitor authentication logs for unusual AD account usage patterns
🔍 How to Verify
Check if Vulnerable:
Check if FactoryTalk View SE is configured for SSO authentication and version is below v11.0Check Version:
Check version in FactoryTalk View SE application interface or installation directoryVerify Fix Applied:
Confirm version is v11.0 or later and test that SSO authentication now requires proper credentials📡 Detection & Monitoring
Log Indicators:
- Authentication logs showing successful logins without password verification
- Multiple failed authentication attempts followed by successful SSO login
Network Indicators:
- Unusual authentication traffic patterns to FactoryTalk View SE systems
SIEM Query:
source="FactoryTalk" AND event_type="authentication" AND result="success" AND auth_method="SSO" AND NOT password_required="true"