Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 26, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® Services Platform | v2.74 | V2.80 and later |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-46290 IMPACT
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.
CVSS Base Score: 8.1/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Install the respective FactoryTalk Services Version that remediates the issue.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
