Rockwell Reveals 10 Vulnerabilities in 3 Popular Products

Rockwell Automation recently issued three security advisories highlighting 10 vulnerabilities in its FactoryTalk, PowerFlex, and Arena Simulation products. The US Cybersecurity and Infrastructure Security Agency (CISA) has also echoed these advisories to inform organizations about the identified vulnerabilities within the industrial automation company's offerings.

Among the disclosed vulnerabilities, one advisory focused on six flaws within the Arena Simulation software. These included five high-severity arbitrary code execution vulnerabilities and one medium-severity information disclosure and denial-of-service (DoS) issue. Each vulnerability necessitates the user to open a malicious file to exploit it. Rockwell Automation credited the discovery of these vulnerabilities to ICS cybersecurity researcher Michael Heinzl, who is recognized for reporting critical vulnerabilities that often involve manipulating specifically crafted files. Heinzl's advisories elaborated on the exploitation methods involving customized DOE files reported to the vendor through CISA in November 2023.

In another advisory, Rockwell Automation addressed three high-severity vulnerabilities in its PowerFlex product, which are susceptible to DoS attacks. While patches for these vulnerabilities are pending, the vendor recommends customers implement mitigations and adhere to security best practices to mitigate the risk.

The third advisory highlighted a medium-severity security issue identified during internal testing of the FactoryTalk View ME product. Updates have been released to address this vulnerability, which could allow a malicious user to remotely restart the PanelView Plus 7 terminal without security safeguards, resulting in loss of control or visibility over the PanelView product.

“A vulnerability exists in the affected product that allows a malicious user to restart the PanelView Plus 7 terminal remotely without security protections. If the vulnerability is exploited, it could lead to the loss of view or control of the PanelView product,” the company explained.