CVE-2024-10945
📋 TL;DR
This local privilege escalation vulnerability allows attackers with low-privileged local access to replace files during software updates, gaining elevated privileges. It affects Rockwell Automation products due to insufficient security checks before installation. Organizations using affected Rockwell Automation software are at risk.
💻 Affected Systems
- Rockwell Automation FactoryTalk System Services
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative/root control of the system, enabling complete compromise, data theft, lateral movement, and persistence.
Likely Case
Local user escalates privileges to install malware, modify system configurations, or access restricted data.
If Mitigated
Attack is prevented through proper access controls, patch management, and monitoring.
🎯 Exploit Status
Exploitation requires local access and knowledge of file replacement during updates; no public exploit code known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.11.1 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1710.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk System Services version 6.11.1 or later from Rockwell Automation. 2. Backup system configurations. 3. Install the update following vendor instructions. 4. Restart the system as required.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local user accounts and implement least privilege to reduce attack surface.
Monitor File Changes
windowsUse file integrity monitoring to detect unauthorized file modifications in update directories.
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges.
- Monitor for suspicious file modification activities in update-related directories.
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk System Services version; if below 6.11.1, system is vulnerable.Check Version:
Check version in Control Panel > Programs and Features or via vendor documentation.Verify Fix Applied:
Verify FactoryTalk System Services version is 6.11.1 or higher after patching.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications in update directories
- Privilege escalation attempts in system logs
Network Indicators:
- None - this is a local attack
SIEM Query:
Search for events related to file creation/modification in FactoryTalk update paths by non-admin users.