CVE-2017-6015
HIGHRockwell Automation FactoryTalk Activation < 4.00.02 - Unquoted Search Path or Element
Title source: llmDescription
Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system. CVSS v3 base score: 8.8, CVSS vector string: (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Rockwell Automation has released a new version of FactoryTalk Activation, Version 4.01, which addresses the identified vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96996
Permissions Required, Vendor Advisory x_refsource_misc
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/939382
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-17-047-02
Scores
CVSS v3
7.8
EPSS
0.0005
EPSS Percentile
16.8%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-428
CWE-74
Status
published
Products (1)
rockwellautomation/factorytalk_activation
< 4.00.02
Published
May 11, 2018
Tracked Since
Feb 18, 2026