CVE-2024-7847
📋 TL;DR
This vulnerability allows attackers to embed malicious VBA scripts in Rockwell Automation project files (RSP/RSS). When a legitimate user opens an infected file, the script executes automatically without user interaction, potentially leading to remote code execution. Organizations using affected Rockwell Automation products are at risk.
💻 Affected Systems
- Rockwell Automation FactoryTalk View Studio
- Rockwell Automation RSLogix 5000
- Rockwell Automation Studio 5000 Logix Designer
📦 What is this software?
Rslogix 5 by Rockwellautomation
Rslogix 500 by Rockwellautomation
Rslogix Micro Developer by Rockwellautomation
Rslogix Micro Starter Lite by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems, unauthorized remote code execution on engineering workstations, potential impact on connected physical devices and processes.
Likely Case
Compromise of engineering workstations through social engineering, leading to data theft, lateral movement within OT networks, and potential disruption of industrial operations.
If Mitigated
Limited impact with proper network segmentation, application whitelisting, and user awareness training preventing malicious file execution.
🎯 Exploit Status
Exploitation requires social engineering to deliver malicious project files. Once opened, execution is automatic if VBA scripting is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See vendor advisory for specific patched versions
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1701.html
Restart Required: Yes
Instructions:
1. Review Rockwell Automation advisory SD1701. 2. Identify affected products and versions in your environment. 3. Apply vendor-provided patches/updates. 4. Restart affected systems. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable VBA Scripting
windowsDisable the VBA scripting feature in affected Rockwell Automation products to prevent automatic script execution.
Configure through product settings: Tools > Options > Security > Disable VBA scripting
Restrict Project File Execution
windowsImplement application control to only allow execution of trusted/signed project files.
Use Windows AppLocker or similar to restrict .rsp/.rss file execution
🧯 If You Can't Patch
- Implement strict network segmentation between engineering workstations and other networks
- Train users to never open project files from untrusted sources and enable macro/content warnings
🔍 How to Verify
Check if Vulnerable:
Check installed Rockwell Automation software versions against advisory SD1701. Verify if VBA scripting is enabled in product settings.Check Version:
Check version in Rockwell Automation software: Help > About or via Windows Programs and FeaturesVerify Fix Applied:
Verify patch installation through product version check. Confirm VBA scripting is disabled or restricted in security settings.📡 Detection & Monitoring
Log Indicators:
- Unexpected VBA script execution in application logs
- Multiple failed attempts to open project files
- Unusual process creation from Rockwell applications
Network Indicators:
- Unexpected network connections from engineering workstations
- SMB/NFS transfers of project files from untrusted sources
SIEM Query:
Process creation where parent_process contains 'FactoryTalk' OR 'RSLogix' AND process_name contains 'cmd.exe' OR 'powershell.exe'