CVE-2024-21917

CRITICAL

Rockwell Automation FactoryTalk Services Platform < 6.31.00 - Improper Verification of Cryptographic Signature

Title source: llm

Description

A vulnerability exists in Rockwell Automation FactoryTalk® Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.

References (2)

Core 2

Core References

Vendor Advisory

https://www.rockwellautomation.com/en-us/support/advisory.SD1660.html

Various Sources

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1660.html

Scores

CVSS v3 9.8

EPSS 0.0086

EPSS Percentile 53.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-347

Status published

Products (1)

rockwellautomation/factorytalk_services_platform < 6.31.00

Published Jan 31, 2024

Tracked Since Feb 18, 2026