CVE-2023-27927 – This vulnerability allows authenticated malicio... (How to Fix)

Q: What is the severity of CVE-2023-27927?

CVE-2023-27927 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows authenticated malicious users to retrieve SMTP passwords in cleartext from systems where passwords are masked with asterisks. It affects industrial control systems and SCADA software that use vulnerable password masking implementations. Attackers can then use these credentials for further attacks.

📋 TL;DR

This vulnerability allows authenticated malicious users to retrieve SMTP passwords in cleartext from systems where passwords are masked with asterisks. It affects industrial control systems and SCADA software that use vulnerable password masking implementations. Attackers can then use these credentials for further attacks.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk View SE

Versions: Versions prior to 12.0.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where FactoryTalk View SE is configured with SMTP email notifications.

📦 What is this software?

Ey As525f001 Firmware by Sauter Controls

View all CVEs affecting Ey As525f001 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain SMTP credentials, use them to send phishing emails, compromise email infrastructure, or pivot to other systems using the same credentials.

🟠

Likely Case

Internal attackers or compromised accounts steal SMTP credentials for email-based attacks or credential reuse attacks.

🟢

If Mitigated

Limited to authenticated users only, with monitoring detecting unusual SMTP access patterns.

🌐 Internet-Facing: MEDIUM - Only if vulnerable interface is internet-facing and accessible to authenticated users.

🏢 Internal Only: HIGH - Authenticated internal users can exploit this vulnerability to steal credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access to the vulnerable interface where SMTP passwords are displayed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk View SE version 12.0.1

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1663.html

Restart Required: Yes

Instructions:

1. Download FactoryTalk View SE version 12.0.1 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems.

🔧 Temporary Workarounds

Restrict Access to Configuration Interface

windows

Limit access to FactoryTalk View SE configuration interface to only authorized administrators.

Use Windows Group Policy or firewall rules to restrict access to port 8080/TCP (default FactoryTalk View SE port)

Use Alternative Email Configuration

windows

Configure SMTP through external authentication methods that don't store passwords locally.

Configure SMTP to use OAuth2 or integrated Windows authentication instead of stored passwords

🧯 If You Can't Patch

Implement strict access controls and monitoring for FactoryTalk View SE configuration interfaces
Rotate SMTP passwords and ensure they are not reused elsewhere in the environment

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk View SE version in Help > About. If version is below 12.0.1 and SMTP is configured, system is vulnerable.

Check Version:

In FactoryTalk View SE, navigate to Help > About to view version information

Verify Fix Applied:

Verify version is 12.0.1 or higher in Help > About. Test that SMTP password field properly masks characters.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login to FactoryTalk View SE
Unusual access to configuration interfaces outside maintenance windows

Network Indicators:

Unusual SMTP traffic from industrial control systems
Traffic to FactoryTalk View SE port 8080 from unexpected sources

SIEM Query:

source="FactoryTalk" AND (event_type="configuration_access" OR event_type="authentication") AND user!="authorized_admin"

📊 Metadata

CVE ID: CVE-2023-27927

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-319

Published: March 27, 2023

Last Updated: January 17, 2025

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-03 Third Party Advisory,US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-03 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27927, you might also want to check these: