CVE-2024-45824
📋 TL;DR
CVE-2024-45824 is a critical remote code execution vulnerability affecting Rockwell Automation products. Attackers can chain path traversal, command injection, and XSS vulnerabilities to execute arbitrary code without authentication. Organizations using affected Rockwell Automation industrial control systems are at risk.
💻 Affected Systems
- Rockwell Automation FactoryTalk View Site Edition
- Rockwell Automation FactoryTalk Linx
📦 What is this software?
Factorytalk View by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to operational disruption, safety hazards, data theft, or physical damage to equipment.
Likely Case
Unauthenticated attackers gaining full system control to install malware, exfiltrate sensitive data, or disrupt industrial processes.
If Mitigated
Limited impact with proper network segmentation, access controls, and monitoring preventing exploitation attempts.
🎯 Exploit Status
Requires chaining multiple vulnerabilities but documented in advisory. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk View Site Edition 12.0.1, FactoryTalk Linx 6.30.00
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1696.html
Restart Required: Yes
Instructions:
1. Download patches from Rockwell Automation Security Advisory SD1696. 2. Apply FactoryTalk View Site Edition 12.0.1 update. 3. Apply FactoryTalk Linx 6.30.00 update. 4. Restart affected systems. 5. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems from untrusted networks including internet access
Access Control Restrictions
allImplement strict firewall rules to limit access to only authorized IP addresses
🧯 If You Can't Patch
- Implement network segmentation to isolate affected systems in dedicated VLANs
- Deploy application whitelisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check installed versions of FactoryTalk View Site Edition and FactoryTalk Linx against vulnerable versions listed in advisoryCheck Version:
Check version information in FactoryTalk View and FactoryTalk Linx application interfaces or installation directoriesVerify Fix Applied:
Verify installed versions are FactoryTalk View Site Edition 12.0.1 or later and FactoryTalk Linx 6.30.00 or later📡 Detection & Monitoring
Log Indicators:
- Unusual process creation events
- Unauthorized access attempts to FactoryTalk services
- Suspicious command execution patterns
Network Indicators:
- Unexpected connections to FactoryTalk ports (typically 445, 135, 102)
- Traffic patterns indicating exploitation attempts
SIEM Query:
source="FactoryTalk" AND (event_type="process_creation" OR event_type="access_denied")