Security News > 2021 > April > Nine Critical Flaws in FactoryTalk Product Pose Serious Risk to Industrial Firms
Industrial automation giant Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product.
The vulnerabilities were discovered by researchers at industrial cybersecurity firm Claroty and they were addressed by the vendor with the release of AssetCentre v11.
The product is used by many industrial organizations for backup and disaster recovery, which, Claroty points out, can be very useful in case of a targeted ransomware attack.
"FactoryTalk AssetCentre is a powerful, centralized tool where project files are stored for use on any Rockwell Automation platform. The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients, and remote agents," Claroty said, noting that the product can be a "Powerful target for attackers."
The nine critical vulnerabilities identified by Claroty researchers - all of them have a CVSS score of 10 - can be exploited by remote, unauthenticated attackers to execute arbitrary code, execute arbitrary commands, modify sensitive data in the application, or launch SQL injection attacks.
"An attacker who is able to successfully exploit these vulnerabilities could do so without authentication and control the centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server," Claroty warned.