CVE-2023-2637

Name of the Vulnerable Software and Affected Versions FactoryTalk System Services (affected versions not specified) FactoryTalk Policy Manager (affected versions not specified)

Description The issue is related to the use of a hard-coded cryptographic key in Rockwell Automation's FactoryTalk System Services to generate administrator cookies. This may lead to privilege escalation, allowing a local, authenticated non-admin user to generate an invalid administrator cookie and gain administrative privileges to the FactoryTalk Policy Manager database. The threat actor could make malicious changes to the database, which would be deployed when a legitimate user deploys a security policy model. User interaction is required for successful exploitation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.