CVE-2024-21915 (CVSS 9.0): Rockwell Automation Patches Critical Flaw in FTSP

A recently disclosed privilege escalation flaw (CVE-2024-21915) with a critical CVSS score of 9.0 exists in Rockwell’s FactoryTalk Service Platform (FTSP). CISA advises applying the vendor’s patch and mitigations immediately. Unchecked, this could allow low-privilege users to escalate to FTSP Administrator Group privileges, posing grave risks to industrial processes and system data.

CVE-2024-21915

FactoryTalk Services Platform (FTSP) is a software suite developed by Rockwell Automation to streamline industrial automation and optimize manufacturing environments.

This vulnerability targets FTSP’s core user permissions architecture. Insecure internal configuration settings, if exploited, would allow account escalation leading to system-wide administrative power in the hands of attackers.

A privilege escalation vulnerability exists in FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable,” Rockwell explained in its advisory.

Affected Product First Known in software version Corrected in software version
FactoryTalk® Service Platform              <v2.74 Update to V2.74 or later

In response to CVE-2024-21915, the US Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm, issuing an advisory that underscores the gravity of the situation. Rockwell Automation, for its part, has been proactive, issuing patches and urging those with the affected software to fortify their defenses using suggested best practices.

The recommendations from CISA form a triad of defense, emphasizing the reduction of network exposure, the fortification of networks with firewalls and isolation from business networks, and the prudent use of secure remote access methods like VPNs.

Rockwell says it’s not aware of any malicious attacks exploiting this flaw.