CVE-2014-2350 in DeltaV
Summary
by MITRE
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/01/2025
The vulnerability identified as CVE-2014-2350 affects Emerson DeltaV industrial control systems versions 10.3.1, 11.3, 11.3.1, and 12.3, representing a critical security flaw that undermines the integrity of access controls within industrial automation environments. This vulnerability resides in the diagnostic services component of the DeltaV system, which is widely deployed in process control and automation applications across various industrial sectors including oil and gas, chemical processing, and manufacturing facilities. The flaw manifests through the use of hardcoded credentials that are embedded within the software configuration, creating a persistent security weakness that persists across system updates and reboots.
The technical implementation of this vulnerability involves hardcoded authentication credentials that are statically coded into the diagnostic services functionality of the DeltaV software. These credentials remain unchanged regardless of system configuration or security policy updates, allowing unauthorized remote access to diagnostic sessions through standard TCP connections. Attackers can exploit this weakness by establishing a TCP session using common network utilities such as telnet, effectively bypassing the intended access controls that should restrict diagnostic access to authorized personnel only. The vulnerability specifically targets the diagnostic service ports that are typically exposed for system maintenance and troubleshooting purposes, yet the hardcoded credentials make these ports accessible to any remote attacker possessing basic network connectivity.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it creates a persistent backdoor that can be leveraged for further attacks within industrial control networks. Industrial control systems are increasingly interconnected and often operate in closed-loop environments where a compromised diagnostic service can serve as an entry point for broader network infiltration. The remote nature of the attack means that adversaries do not require physical access to the facility or local network credentials, significantly expanding the attack surface. This vulnerability directly violates the principle of least privilege and demonstrates a fundamental flaw in the security architecture of the affected systems, potentially enabling attackers to execute malicious code, modify process parameters, or disrupt critical industrial operations.
Organizations affected by this vulnerability should implement immediate mitigations including network segmentation to isolate industrial control systems from general enterprise networks, disabling unnecessary diagnostic services when not actively required, and implementing network access controls to restrict TCP port access. The use of dedicated industrial firewalls and network monitoring solutions can help detect unauthorized diagnostic session attempts. Additionally, the affected systems should be updated to patched versions of the DeltaV software that eliminate the hardcoded credentials and implement proper authentication mechanisms. This vulnerability aligns with CWE-798, which addresses the use of hardcoded credentials, and represents a significant concern from an industrial cybersecurity perspective, as it enables attackers to gain unauthorized access to critical control systems through well-known attack vectors. The ATT&CK framework categorizes this as a credential access technique, specifically leveraging hardcoded credentials to bypass authentication mechanisms and maintain persistence within industrial environments. Organizations should also consider implementing comprehensive security assessments of their industrial control systems to identify similar hardcoded credential vulnerabilities across their operational technology infrastructure.