CVE-2024-12371 CRITICAL

CVE-2024-12371: Rockwell Automation PowerMonitor™ 1000 Remote Code Execution

Vendor Rockwell Automation
Product PM1k 1408-BC3A-485
Published December 18, 2024
Last update December 18, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.

Key dates

02Disclosure timeline

December 18, 2024 CVE published
December 18, 2024 Record updated