Rockwell recently rolled out security patch for nine critical vulnerability identified at FactoryTalk AssertCentre software

Continue reading
Rockwell Automation, an American provider of industrial automation and information technology, has lately warned its customers about discovering nine critical vulnerabilities in its FactoryTalk AssetCentre product.
Although later on, the company rolled out security patches for all the nine vulnerabilities with the release of version v11.
FactoryTalk AssertCentre is a software that offers a centralized tool for securing, managing, versioning, tracking, and reporting automation-related asset information across the entire facility.
Security experts at industrial cybersecurity firm Claroty, ICS-CERT discovered all the vulnerabilities and publicized them in their advisory report including the essential details of the detected vulnerabilities and it's mitigation procedure.
While the architecture of the AssertCentre is primarily built on the central server and MS-SQL server database, clients and remote agents are found to be running on the engineering workstations (generally, Windows-based machines). However, all the agent communicates through a centralized server and can accept and send commands to automation devices, such as PLCs.

“*Claroty researchers were able to find deserialization vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.” reads the advisory published by Claroty*.
“*Deserialization vulnerabilities, meanwhile, are a class of bugs that occur when an attacker can inject malicious code into a serialized object that would be executed later when being be serialized*.”
Security Experts further highlighted that the identified vulnerabilities are deserialization and SLQ injection vulnerabilities, and they have been rated with a CVSS score of 10.
Besides, experts at Claroty also explained that these vulnerabilities are so critical that any unauthenticated, remote attacker could easily exploit them to gain access to the entire centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server.
Eventually, this enables the threat actor to take full control of the entire operational technology (OT) network of the facility a rum commands on the server agents and automation devices such as programmable logic controllers (PLCs).
“*Successful exploitation of these vulnerabilities may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.” reads the advisory* published by CISA.
Rockwell advisory is available here.
All the customers of Rockwell Automation are strictly directed to update the existing FactoryTalk AssetCentre software to the latest possible version i.e. version v11 in order to mitigate these nine vulnerabilities. Moreover, Rockwell also advises customers to refer to the official Installation Guide of the FactoryTalk AssertCentre and follow the proposed guidelines to securely complete the configuration of the tool with SSL on clients, agent computers, and the web client.
In order to maintain a secure communication it is also recommended to configure IPSec while this doesn't entirely concede the identified vulnerabilities. But it will allow the system to authenticate the sender and avoid any unauthorized connections. And it would still allow the threat actor to leverage an authorized client in order to compromise the system. Rockwell also believes that using IPSec significantly reduces the risk by reducing the potential attack surface.
CVE-2021-27462 CWE-502 Deserialization of Untrusted Data CVSS v3 Score: 10
A deserialization vulnerability was uncovered in the way the FactoryTalk AssetCentre AosService.rem service verifies serialized data. An unauthenticated attacker may exploit this to execute arbitrary code in FactoryTalk AssetCentre remotely.
CVE-2021-27466 CWE-502 Deserialization of Untrusted Data CVSS v3 Score: 10
A deserialization vulnerability was found in how the FactoryTalk AssetCentre ArchiveService.rem verifies serialized data. An unauthenticated, remote attacker could exploit this and execute arbitrary commands in FactoryTalk AssetCentre.
CVE-20201-27470 CWE-502 Deserialization of Untrusted Data CVSS v3 Score: 10
A deserialization vulnerability was found in the way FactoryTalk AssetCentre LogService.rem verifies serialized data. This vulnerability could be exploited for remote code execution in FactoryTalk AssetCentre pre-authentication.
CVE-2021-27474 CWE-749 Exposed Dangerous Method or Function CVSS v3 Score: 10
FactoryTalk AssetCentre does not correctly restrict IIS remoting services functions, allowing a remote, unauthenticated attacker to modify or expose sensitive data in FactoryTalk AssetCentre.
CVE-2021-27476 CWE-78 OS Command Injection CVSS v3 Score: 10
A vulnerability in the SaveConfigFile function of FactoryTalk AssetCentre’s RACompare Service allows for OS command injection, giving an unauthenticated, remote attacker the ability to run arbitrary code in FactoryTalk AssetCentre.
CVE-2021-27472 CWE-89 Improper Neutralization of Special Elements Used in a SQL Command (SQL Injection)
CVSS v3 Score: 10
FactoryTalk AssetCentre’s SearchService allows for the execution of remote SQL statements by an unauthenticated attacker.
CVE-2021-27468 CWE-89 Improper Neutralization of Special Elements Used in a SQL Command (SQL Injection) CVSS v3 Score: 10
The AosService.rem service exposes functions that lack authentication, enabling an unauthenticated, remote attacker to execute SQL statements.
CVE-2021-27464 CWE-89 Improper Neutralization of Special Elements Used in a SQL Command (SQL Injection) CVSS v3 Score: 10**
The ArchiveService.rem service exposes functions that lack authentication, enabling remote execution of SQL statements by an unauthenticated attacker.
CVE-2021-27460 CWE-502 Deserialization of Untrusted Data CVSS v3 Score: 10
Multiple FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without verifying the results will be valid. An unauthenticated local attacker would gain full access to the FactoryTalk AssetCentre central server and agent machines and remotely execute code.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.