CVE-2020-5802 in FactoryTalk Linx
Summary
by MITRE • 12/30/2020
An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241. This will cause an unhandled exception, resulting in termination of RSLinxNG.exe. Observed in FactoryTalk 6.11. All versions of FactoryTalk Linx are affected.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability described represents a critical memory corruption issue within the RnaDaSvr.dll component of FactoryTalk Linx software, specifically affecting version 6.11 and all prior releases. This flaw manifests as an improper input validation mechanism that allows remote attackers to manipulate the memory allocation process through a specially crafted ConfigureItems message transmitted over TCP port 4241. The underlying technical mechanism involves the C++ new operator receiving an attacker-controlled memory size parameter, which directly violates secure coding practices and creates an exploitable condition. This vulnerability aligns with CWE-122, which describes improper restriction of operations within a memory buffer, and represents a classic example of a buffer overflow condition that can be triggered through heap-based memory manipulation.
The operational impact of this vulnerability extends beyond simple application termination, as it creates a denial of service condition that can be exploited remotely without authentication requirements. When an attacker sends the malicious ConfigureItems message, the system fails to properly validate the memory allocation size parameter, leading to an unhandled exception that terminates the RSLinxNG.exe process. This termination effectively disrupts industrial automation and control system operations, as RSLinxNG serves as a critical communication bridge between human machine interfaces and industrial devices. The vulnerability's remote exploitability through TCP port 4241 makes it particularly dangerous in industrial environments where such systems are often exposed to untrusted networks and where operational continuity is paramount.
The exploitation of this vulnerability follows patterns consistent with ATT&CK technique T1203, which describes exploitation of remote services for privilege escalation or denial of service. The attack surface is particularly concerning given that FactoryTalk Linx is widely deployed in industrial control systems and manufacturing environments where network segmentation may be inadequate. Organizations running affected versions of FactoryTalk Linx are vulnerable to attacks that can cause production line disruptions, operational downtime, and potential safety risks in industrial settings. The lack of authentication requirements for the exploit means that any network-connected system running the vulnerable software is at risk, making this a significant concern for industrial cybersecurity professionals. The vulnerability demonstrates a fundamental flaw in input validation and memory management practices within industrial automation software, highlighting the need for robust security controls in operational technology environments.
Mitigation strategies should focus on immediate patch deployment from Rockwell Automation, network segmentation to isolate affected systems, and implementation of firewall rules to block access to TCP port 4241 from untrusted networks. Additionally, organizations should consider implementing intrusion detection systems to monitor for suspicious ConfigureItems message patterns and establish incident response procedures for handling potential exploitation attempts. The vulnerability underscores the importance of regular security assessments for industrial control systems and the necessity of maintaining up-to-date security patches in operational technology environments where system availability and safety are critical concerns.