PatchSiren cyber security CVE debrief
CVE-2024-12371 Rockwell Automation CVE debrief
A critical device takeover vulnerability in Rockwell Automation PowerMonitor 1000 series devices allows unauthenticated attackers to create a Policyholder user—the most privileged account—via API calls. This grants complete device control including administrative user creation and factory reset capabilities. The vulnerability affects 14 product variants running firmware versions prior to 4.020. CISA published this advisory on December 17, 2024.
- Vendor
- Rockwell Automation
- Product
- PM1k 1408-BC3A-485
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-17
- Original CVE updated
- 2024-12-17
- Advisory published
- 2024-12-17
- Advisory updated
- 2024-12-17
Who should care
Organizations operating Rockwell Automation PowerMonitor 1000 series energy monitoring devices in industrial environments, particularly those with devices exposed to operational technology networks or with remote management capabilities enabled. Critical infrastructure operators in energy, manufacturing, and water sectors using these devices for power quality monitoring should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the API implementation of affected PowerMonitor 1000 devices. An unauthenticated attacker can send API requests to create a new Policyholder user account without presenting valid credentials. The Policyholder role possesses maximum privileges including edit operations, creation of additional administrative users, and execution of factory reset commands. This represents a complete authentication bypass with immediate full device compromise. The attack requires network access to the device's API endpoints but no user interaction or prior authentication. All 14 affected product variants share the same underlying firmware vulnerability resolved in version 4.020.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade affected PowerMonitor 1000 devices to firmware version 4.020 or later immediately
- Apply network segmentation to isolate affected devices from untrusted networks
- Implement access control lists restricting API endpoint access to authorized management hosts
- Monitor for unauthorized user account creation events on affected devices
- Review device configurations for unexpected Policyholder or administrative accounts
- Apply CISA ICS recommended practices for defense-in-depth where immediate patching is not feasible
Evidence notes
CISA CSAF advisory ICSA-24-352-03 confirms unauthenticated API access enables Policyholder user creation with full device control privileges. CVSS 3.1 score of 9.8 reflects network attack vector with no privileges required and high impact across confidentiality, integrity, and availability.
Official resources
-
CVE-2024-12371 CVE record
CVE.org
-
CVE-2024-12371 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-17