PatchSiren cyber security CVE debrief
CVE-2024-37365 Rockwell Automation CVE debrief
A remote code execution vulnerability in Rockwell Automation FactoryTalk View ME allows users to save projects within the public directory, enabling any local user to modify or delete files. A malicious actor could escalate privileges by altering macros to execute arbitrary code. The vulnerability stems from default folder privileges that grant excessive permissions to the INTERACTIVE group. Rockwell Automation has corrected this issue in version 15.0. For environments unable to upgrade immediately, hardening the Windows OS by removing the INTERACTIVE group from the HMI projects folder's security properties and applying least-privilege access controls is recommended.
- Vendor
- Rockwell Automation
- Product
- FactoryTalk View ME, when using default folder privileges
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations operating Rockwell Automation FactoryTalk View ME in industrial environments, particularly those with shared or multi-user HMI workstations. Security teams responsible for ICS/OT hardening and access control enforcement. Compliance officers managing NIST CSF or IEC 62443 implementations.
Technical summary
FactoryTalk View ME versions 14.0 and earlier save projects to a directory with default permissions that allow any interactive user to modify files. This enables local privilege escalation through macro modification and arbitrary code execution. The attack requires local access and user interaction. Remediation involves upgrading to v15.0 or applying OS-level access controls to restrict directory permissions.
Defensive priority
high
Recommended defensive actions
- Upgrade to FactoryTalk View ME version 15.0 to obtain the vendor correction.
- If immediate upgrade is not feasible, harden the Windows OS by removing the INTERACTIVE group from the HMI projects folder security properties.
- Apply least-privilege principles: add specific users or groups with minimal required permissions; read-only users can still operate FactoryTalk View ME Station.
- Consult FactoryTalk View ME v14 Help topic 'HMI projects folder settings' for detailed configuration guidance.
- Review Rockwell Automation security best practices and security advisories for additional hardening recommendations.
Evidence notes
Advisory published by CISA as ICSA-24-317-03 on 2024-11-12. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. Affected versions: <=v14.0. Corrected in v15.0.
Official resources
-
CVE-2024-37365 CVE record
CVE.org
-
CVE-2024-37365 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12