Login Sign Up

CVE-2024-4609

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Rockwell Automation FactoryTalk View SE Datalog function allows attackers to execute malicious SQL statements if database authentication is missing or credentials are compromised. Exploitation could lead to data exposure, modification, or deletion in remote databases. Only affects HMI design time environments, not runtime operations.

💻 Affected Systems

Products:
  • Rockwell Automation FactoryTalk View SE
Versions: All versions prior to v12.00.02
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SQL database connection without authentication or with stolen credentials. Only affects design time, not runtime.

📦 What is this software?

Factorytalk View by Rockwellautomation

View all CVEs affecting Factorytalk View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SQL database with data theft, modification, or deletion, potentially affecting operational integrity if sensitive configuration data is altered.

🟠

Likely Case

Information disclosure of sensitive HMI configuration data and potential data manipulation in poorly secured environments.

🟢

If Mitigated

Minimal impact with proper database authentication and network segmentation in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires either no database authentication or compromised credentials. SQL injection is a well-understood attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v12.00.02

Vendor Advisory: https://www.rockwellautomation.com/en-us/support/advisory.SD1670.html

Restart Required: Yes

Instructions:

1. Download FactoryTalk View SE v12.00.02 from Rockwell Automation support portal. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart affected systems.

🔧 Temporary Workarounds

Implement SQL Database Authentication

all

Configure strong authentication for all SQL databases used by FactoryTalk View SE

Network Segmentation

all

Isolate FactoryTalk View SE systems from untrusted networks and implement firewall rules

🧯 If You Can't Patch

  • Implement strict database authentication with strong credentials
  • Segment network to restrict access to FactoryTalk View SE systems and databases

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk View SE version in software properties. Versions below v12.00.02 are vulnerable.

Check Version:

Check via Windows Programs and Features or FactoryTalk View SE About dialog

Verify Fix Applied:

Verify version is v12.00.02 or higher in software properties and test SQL database connections with authentication.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Failed authentication attempts to SQL databases
  • Unexpected database modifications

Network Indicators:

  • SQL traffic from unexpected sources to FactoryTalk View SE systems
  • Unusual database connection patterns

SIEM Query:

source="database_logs" AND ("sql injection" OR "malicious query" OR "unauthorized access") AND dest="factorytalk_sql_server"

📊 Metadata

CVE ID: CVE-2024-4609
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: May 16, 2024
Last Updated: January 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4609, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)