CVE-2024-4609

CRITICAL

Rockwell Automation FactoryTalk View < 11.0 - SQL Injection via Datalog Function

Title source: llm

Description

A vulnerability exists in the Rockwell Automation FactoryTalk® View SE Datalog function that could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. If exploited, the attack could result in information exposure, revealing sensitive information. Additionally, a threat actor could potentially modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.

References (1)

Core 1

Core References

Vendor Advisory

https://www.rockwellautomation.com/en-us/support/advisory.SD1670.html

Scores

CVSS v3 9.8

EPSS 0.0008

EPSS Percentile 22.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-20 CWE-89

Status published

Products (1)

rockwellautomation/factorytalk_view < 11.0

Published May 16, 2024

Tracked Since Feb 18, 2026