CVE-2024-37368 Rockwell Automation CVE debrief

Who should care

Industrial control system operators, OT security teams, manufacturing security engineers, critical infrastructure defenders, and organizations running Rockwell Automation FactoryTalk View SE for human-machine interface visualization in production environments.

Technical summary

The vulnerability exists in FactoryTalk View SE v11.0's remote project access functionality. A remote attacker with FTView can transmit a packet to a customer server to retrieve HMI project information without presenting valid credentials. The server fails to perform proper authentication verification before granting project view access. This represents a classic missing authentication control (CWE-306) in a client-server industrial protocol. The attack requires network access to the FactoryTalk View SE server but no user interaction or privileges. Successful exploitation exposes sensitive HMI project data including process configurations, potentially aiding further targeted attacks against industrial processes.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FactoryTalk View SE to V14.0 or later to remediate the authentication bypass vulnerability.
• If immediate upgrade is not feasible, implement network segmentation to isolate HMI systems from untrusted networks.
• Apply IPsec-based access controls to restrict remote FTView system connectivity per Rockwell Automation security best practices.
• Review and enforce least-privilege access policies for industrial control system networks.
• Monitor network traffic for unauthorized FactoryTalk View SE project access attempts.

Evidence notes

CISA CSAF advisory ICSA-24-165-18 confirms the vulnerability affects FactoryTalk View SE v11.0, with correction in V14.0. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates network-accessible, low-complexity attack with no privileges required, resulting in high confidentiality impact. No integrity or availability impact per scoring.

Official resources