CVE-2021-27470

CRITICAL10.0Insecure deserialization

Description

A deserialization vulnerability exists in how the LogService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

High

Affected products

Rockwell Automation / FactoryTalk® AssetCentreunspecified – v10.00

References

VENDOR_ADVISORYhttps://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01
MISChttps://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831