PatchSiren cyber security CVE debrief
CVE-2024-4609 Rockwell Automation CVE debrief
A SQL injection vulnerability in Rockwell Automation FactoryTalk View SE's Datalog function allows authenticated threat actors to inject malicious SQL statements when databases lack authentication or credentials are compromised. The flaw affects HMI design-time operations only, not runtime. Successful exploitation enables information disclosure, data modification, and deletion in remote databases. The vulnerability was disclosed on May 16, 2024, with a CVSS 3.1 score of 7.6 (HIGH). Affected versions are prior to 14.0. Rockwell Automation has released version 14.0 as the remediation.
- Vendor
- Rockwell Automation
- Product
- FactoryTalk View SE
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-16
- Original CVE updated
- 2024-05-16
- Advisory published
- 2024-05-16
- Advisory updated
- 2024-05-16
Who should care
Organizations operating Rockwell Automation FactoryTalk View SE in industrial environments, particularly those using the Datalog function with SQL databases. Critical infrastructure operators, manufacturing facilities, and OT security teams should prioritize assessment and patching.
Technical summary
The FactoryTalk View SE Datalog function constructs SQL queries without adequate input sanitization, enabling injection of malicious SQL statements. Exploitation requires either an unauthenticated SQL database or stolen legitimate credentials. The vulnerability is network-accessible with low attack complexity and low privileges required. Impact includes high confidentiality loss (sensitive information exposure), low integrity loss (data modification), and low availability loss (data deletion). Scope is limited to HMI design-time operations; runtime systems are unaffected. CVSS 3.1: 7.6 (HIGH). CVSS 4.0: 8.7 (HIGH).
Defensive priority
HIGH
Recommended defensive actions
- Upgrade FactoryTalk View SE to version 14.0 or later to remediate this vulnerability
- Ensure SQL databases used with FactoryTalk View SE Datalog function require strong authentication
- Audit and rotate credentials for SQL database connections to prevent credential-based exploitation
- Restrict network access to FactoryTalk View SE systems and associated SQL databases to authorized personnel only
- Monitor for anomalous SQL queries or database access patterns that may indicate exploitation attempts
- Review and apply CISA ICS recommended practices for securing industrial control systems
- Consult Rockwell Automation security bulletin for additional mitigation guidance
Evidence notes
CISA ICS advisory ICSA-24-137-14 published 2024-05-16 confirms SQL injection in FactoryTalk View SE Datalog function affecting versions <14.0. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L yields score 7.6. Attack scope limited to HMI design time per vendor disclosure.
Official resources
-
CVE-2024-4609 CVE record
CVE.org
-
CVE-2024-4609 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-16