CVE-2020-6990

moderate-risk
Published 2020-03-16

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

Do I need to act?

-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Micrologix 1400 A Firmware
Micrologix 1100 Firmware
Rslogix 500

Affected Vendors

Rockwellautomation

References (2)

Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-20-070-06
Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-20-070-06
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 10/34 · Low