PatchSiren cyber security CVE debrief
CVE-2024-7847 Rockwell Automation CVE debrief
A vulnerability in Rockwell Automation RSLogix 5 and RSLogix 500 allows malicious VBA scripts embedded in project files to execute automatically upon opening, enabling remote code execution. The issue stems from a legitimate feature that permits VBA scripts to run without user intervention when a project file is opened. An attacker could craft a malicious RSP or RSS project file containing embedded VBA code and trick a user into opening it, resulting in code execution with the privileges of the logged-in user. The vulnerability was disclosed on September 19, 2024, with a CVSS 3.1 score of 7.7 (HIGH). No patch is available; mitigation relies on administrative controls to disable VBA execution, restrict file locations, and enable VBA editor protection.
- Vendor
- Rockwell Automation
- Product
- RSLogix 500
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-19
- Original CVE updated
- 2024-09-19
- Advisory published
- 2024-09-19
- Advisory updated
- 2024-09-19
Who should care
Organizations using Rockwell Automation RSLogix 5, RSLogix 500, or RSLogix Micro Developer and Starter for PLC programming in industrial environments. Critical infrastructure operators, manufacturing facilities, and any entity with OT/ICS engineering workstations running affected software versions should prioritize assessment and mitigation.
Technical summary
The vulnerability exists in the VBA scripting feature of RSLogix 5 and RSLogix 500 engineering software. Affected products allow project files (RSP/RSS formats) to contain embedded VBA macros configured to execute automatically when the file opens. This design feature can be weaponized by embedding malicious VBA code in a project file and delivering it to a target user. Successful exploitation requires user interaction (opening the malicious file) but results in remote code execution with the context of the user running the application. The attack complexity is rated HIGH due to required social engineering, but impact is severe with complete system compromise possible. No software update is available; defense relies on configuration hardening and access controls.
Defensive priority
HIGH
Recommended defensive actions
- Disable VBA execution in FactoryTalk Administration Console when not needed by navigating to Policies, selecting Enable/Disable VBA, and checking the Deny box
- Store project files in Trusted locations with administrative-only write access and verify file integrity before opening
- Enable VBA editor protection by setting a password to lock VBA code from viewing and editing
- Restrict user permissions to prevent unauthorized modification of project files
- Implement application whitelisting to prevent execution of unauthorized code
- Train users to recognize and avoid opening untrusted project files from unknown sources
- Monitor for suspicious VBA execution events in affected engineering workstations
Evidence notes
Vulnerability description and affected products confirmed via CISA CSAF advisory ICSA-24-263-01. CVSS vector AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H indicates local attack vector with high complexity, requiring user interaction but yielding complete confidentiality, integrity, and availability impact with scope change.
Official resources
-
CVE-2024-7847 CVE record
CVE.org
-
CVE-2024-7847 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-19