CVE-2024-21917 in FactoryTalk Service Platforminfo

Summary

by MITRE • 01/31/2024

A vulnerability exists in Rockwell Automation FactoryTalk® Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory.  If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/15/2026

The vulnerability identified as CVE-2024-21917 affects Rockwell Automation FactoryTalk® Service Platform, a critical component in industrial automation environments that facilitates communication and service management across manufacturing systems. This weakness represents a significant security flaw that undermines the authentication mechanisms designed to protect industrial control systems from unauthorized access. The vulnerability specifically targets the service token authentication process within the FactoryTalk Service Platform, where proper cryptographic validation is missing between service tokens and directory services.

The technical root cause of this vulnerability stems from the absence of digital signing mechanisms that should validate the integrity and authenticity of service tokens before they are accepted by directory services. According to CWE-347, this represents a failure to maintain proper cryptographic signatures, which creates an authentication bypass opportunity for malicious actors. The flaw allows an attacker to extract a valid service token from one FTSP directory and subsequently use it to authenticate against another FTSP directory without proper authorization. This lack of token binding and validation creates a pathway for credential reuse attacks that would normally be prevented by proper cryptographic assurances.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to potentially retrieve sensitive user information and modify critical system settings without any authentication requirements. This represents a severe compromise of industrial control system security where an attacker could manipulate manufacturing processes, access confidential operational data, or disrupt production workflows. The vulnerability affects the fundamental security model of the FactoryTalk Service Platform, potentially allowing attackers to escalate privileges and gain persistent access to industrial networks. According to ATT&CK framework domain T1566, this vulnerability enables initial access through credential manipulation, while T1078 covers legitimate credential use for persistence and privilege escalation.

Mitigation strategies should focus on implementing proper digital signature validation between service tokens and directory services, ensuring that tokens cannot be transferred between directories without proper re-authentication. Organizations should deploy network segmentation to isolate FactoryTalk Service Platform components, implement monitoring for unusual authentication patterns, and establish regular security assessments of industrial control system components. Additionally, applying vendor-provided patches and updates, implementing strong access controls, and maintaining detailed audit logs of authentication events will help reduce the risk exposure. The vulnerability highlights the importance of cryptographic validation in industrial security systems and underscores the need for proper authentication binding mechanisms as recommended by NIST SP 800-53 security controls.

Reservation

01/03/2024

Disclosure

01/31/2024

Moderation

accepted

CPE

ready

EPSS

0.00858

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!