CVE-2024-10944 Rockwell Automation CVE debrief

Who should care

Industrial control system operators, OT security teams, manufacturing security engineers, and organizations running Rockwell Automation FactoryTalk Updater components in production environments

Technical summary

The vulnerability exists in FactoryTalk Updater's agent deployment mechanism due to insufficient input validation. An attacker with high privileges and user interaction capability could deploy a malicious update agent, achieving remote code execution with significant confidentiality, integrity, and availability impact. The attack surface is network-accessible but constrained by privilege requirements. Version 4.20.00 implements proper validation controls to prevent malicious agent deployment.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FactoryTalk Updater Web Client, Client, and Agent components to version 4.20.00 or later
• Restrict network and physical access to servers hosting FactoryTalk Updater
• Perform database updates by clicking the 'Scan' button after patching
• Review and implement Rockwell Automation security best practices for industrial control systems
• Apply Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific risk prioritization

Evidence notes

CVE published 2024-11-14; modified 2024-11-18. CISA CSAF advisory ICSA-24-319-14 issued same date with Update A on 2024-11-18 clarifying version information and correcting critical infrastructure sector classification. CVSS 3.1 vector: AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H. CVSS 4.0 vector also provided in source. Three product variants affected: Web Client (4.00.00–4.20.00), Client (<4.20.00), Agent (<4.20.00). Remediation requires update to version 4.20.00 across all components.

Official resources