Severity: 
                            
                            
                                        High, 
                                        
                                    
                                
                                    
                                        
                                        Medium
                                    
                                
                            
                                Advisory ID: 
                            
                            
                                PN1627
                            
                        
                                Published Date: 
                            
                            
                                June 13, 2023
                            
                        
                                Last Updated: 
                            
                            
                                September 09, 2025
                            
                        
                                Revision Number: 
                            
                            
                                1.0
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                Não
                            
                        
                                Corrected: 
                            
                            
                                Não
                            
                        
                                Workaround: 
                            
                            
                                Não
                            
                        
                            CVE IDs
                        
                        
                                    CVE-2023-2639, 
                                    
                                
                            
                                
                                    CVE-2023-2637, 
                                    
                                
                            
                                
                                    
                                    CVE-2023-2638
                                
                            
                        
                    Summary
                
                
                    FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities
                
            
Revision Number
1.1
Revision History
Version 1.0 - June 13, 2023
Version 1.1 - September 9, 2015 - Updated for better readability
Affected Products
| Affected Product (automated) | First Known in Software Version | Corrected in Software Version | 
| FactoryTalk® Services Platform * Only if the following were installed: 
 | 6.11.00 | 6.30.00 | 
Security Issue Details
Rockwell Automation received a report from Claroty regarding three security issues in FactoryTalk® System Services. If used, these security issues could result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.
CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.
Known Exploited Vulnerability (KEV) database:
CVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.
CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.
CVSS Base Score: 7.3
 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
 CWE: CWE-321: Use of Hard-coded Cryptographic KeyKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.
CVSS Base Score: 5.9
 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
 CWE: CWE-287: Improper AuthenticationKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-2639 IMPACT
An origin validation error may lead to information disclosure. There is an underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network. This does not verify that the origin of the communication is from a legitimate local client device. It could allow a threat actor to create a harmful website that will send a harmful script. The script can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If used, a threat actor could receive information including whether FactoryTalk® Policy Manager is installed. It could also allow the treat actor to view the entire security policy. User interaction is required for this to be used.
CVSS Base Score: 4.1
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
 CWE: CWE-346: Origin Validation ErrorKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigations and security best practices below.
CVE-2023-2638 JSON
CVE-2023-2639 JSON
- Upgrade to 6.30.00 or later which has been patched to mitigate these issues.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.
Additional Resources
CVE-2023-2637 JSONCVE-2023-2638 JSON
CVE-2023-2639 JSON
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits
Copyright ©2022 Rockwell Automation, Inc.