Rockwell Automation FactoryTalk AssetCentre Deserialization of Untrusted Data
CVE-2021-27460

10CRITICAL

Key Information:

Vendor: Rockwell Automation
Status: Factorytalk Assetcentre
Vendor: CVE Published:; 23 March 2022

Summary

Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.

Affected Version(s)

FactoryTalk AssetCentre <= unspecified

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01

x_refsource_CONFIRM

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsi...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 23, 2022
Vulnerability Reserved
Feb 19, 2021