PatchSiren cyber security CVE debrief
CVE-2024-3640 Rockwell Automation CVE debrief
An unquoted executable path vulnerability exists in Rockwell Automation FactoryTalk Remote Access (FTRA) versions ≤v13.5.0.174. The vulnerability occurs during installation when the executable path is not properly quoted, potentially allowing a threat actor with administrative privileges to achieve remote code execution as SYSTEM by placing a malicious executable in the unquoted path. This vulnerability requires local access, high privileges, and user interaction, resulting in a CVSS 3.1 score of 6.5 (MEDIUM). CISA published advisory ICSA-24-135-01 on May 14, 2024, coordinating with Rockwell Automation. The vendor has released version 13.6 to address this issue. No known exploitation in the wild has been reported, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Rockwell Automation
- Product
- FactoryTalk Remote Access
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2024-05-14
- Advisory published
- 2024-05-14
- Advisory updated
- 2024-05-14
Who should care
Organizations running Rockwell Automation FactoryTalk Remote Access ≤v13.5.0.174 in industrial control environments; OT security teams managing remote access solutions; asset owners with FTRA deployments requiring patch management prioritization
Technical summary
The FactoryTalk Remote Access installer fails to properly quote executable paths during installation (CWE-428). An attacker with pre-existing administrative privileges can exploit this by placing a malicious executable in the unquoted path, which will execute with SYSTEM privileges when the installer runs. The attack requires local access and user interaction with the installer. CVSS 3.1: 6.5 (MEDIUM). Fixed in v13.6.
Defensive priority
medium
Recommended defensive actions
- Upgrade FactoryTalk Remote Access to version 13.6 or later per vendor security bulletin
- Review installation procedures for FTRA deployments to ensure proper path quoting
- Apply principle of least privilege for administrative accounts accessing FTRA systems
- Monitor for unauthorized executable placement in FTRA installation directories
- Consult Rockwell Automation's security advisory for additional mitigation guidance
Evidence notes
Vulnerability confirmed through CISA CSAF advisory ICSA-24-135-01 published 2024-05-14. CVSS 3.1 vector AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H confirms local attack vector with high privileges required. Affected product version ≤v13.5.0.174 explicitly stated in CSAF product tree. Vendor fix to v13.6 documented in remediation section.
Official resources
-
CVE-2024-3640 CVE record
CVE.org
-
CVE-2024-3640 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated disclosure through CISA ICS-CERT with vendor fix available