New research from Claroty’s Team82 uncovered critical security vulnerabilities in the Allen-Bradley (Rockwell Automation) PowerMonitor 1000, revealing an exposed attack surface in this widely deployed industrial device. The team conducted a detailed analysis of the device’s internal architecture and firmware to better understand its operational behavior and underlying components. Team82 detected three severe vulnerabilities that could allow an attacker to gain control of the device, cause it to crash, or, in certain cases, execute arbitrary code remotely. Each of these vulnerabilities was assigned a CVSS v3 score of 9.8 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), reflecting their high potential impact.
Rockwell Automation has released patches addressing all three issues and recommends that customers update affected devices to firmware revision 4.020 to mitigate the risks.
Used to measure voltage and current to calculate energy and power consumption, the PowerMonitor 1000 runs on a real-time operating system (RTOS), making vulnerability research more complex compared to Linux-based systems. Unlike Linux (or any other general-purpose OS), RTOS-based firmware is often a single binary blob that includes the operating system, file system components, networking stack, and the power and energy calculation application.
Fortunately, the firmware is not encrypted, allowing the research team to immediately begin analyzing the system without the need for decryption or unpacking. At this stage, the primary focus is on identifying the RTOS used by the device, understanding how the networking stack is implemented, and locating where the core functionality of the PowerMonitor is executed. Gaining clarity on these elements is essential to navigate the firmware’s codebase, particularly the sections responsible for handling network communication and processing user-supplied input.
“The device runs NET+WORKS (based on NET+OS) Version 6.0, an RTOS developed by Digi, built on top of the ThreadX kernel and integrated with the Green Hills framework,” Vera Mens, a Claroty researcher, wrote in a company blog post. “The Treck TCP/IP stack handles networking along with network services like FTP and Web applications.”
In the case of CVE-2024-12371, an authentication bypass vulnerability that could lead to full device takeover, Mens observed that the PowerMonitor 1000 employs four distinct user roles within its authentication system: PolicyHolder, Admin, User, and Application. “When the web interface is used for the first time, a special ‘firstrunWeb’ page is displayed. Using this page, the user must configure a PolicyHolder user before proceeding. After the PolicyHolder configuration, the web interface is switched to ‘normalWeb’ mode. Any request to the server at ‘normalWeb’ mode that performs READ/WRITE operation from/to Data Table is authenticated,” she added.
She noted that the important thing here is that no matter whether the request is a ‘first login’ or not, the callback that will treat the request is the same for both options.
The authentication bypass vulnerability in this case is relatively straightforward to identify. The same code is executed during the initial setup phase and the normal web-based workflow. However, there is no validation step before calling ‘cgi_first_time’ that verifies whether the request is genuinely part of the first-time setup process. This lack of verification opens the door for unauthorized access.
“This means an unauthenticated attacker can bypass authentication by sending an HTTP request,” Mens added. “Since there’s no check enforcing that this function only runs during the initial setup, cgi_first_time will be executed, creating a PolicyHolder account (overwriting any existing configuration) with, specified in the request arguments, password.”
After reviewing the authentication logic, the next step is to hunt for memory corruption vulnerabilities, ideally in code that executes before or during authorization, potentially enabling exploitation without authentication. “As with many RTOS-based embedded systems, memory layout is not randomized, making memory corruption vulnerabilities significantly more dangerous. A well-crafted exploit could lead to denial of service, information disclosure, or even full device takeover.”
In the case of CVE-2024-12373, a data memory region buffer overflow vulnerability, the issue originates in the HTTP request endpoint parsing process, which is executed before any authorization checks take place. This sequence allows the vulnerability to be exploited without the need for authentication.
For the CVE-2024-12372, a heap memory buffer overflow vulnerability, the absence of proper input validation leads directly to a classic heap buffer overflow condition. “To exploit this vulnerability, an attacker will issue an HTTP request with Authorization header that will include a URI larger than 256 bytes. When the server will treat the Authorization header, the heap memory will be overridden with values provided by the attacker,” Mens added.
Clearly, the three vulnerabilities uncovered by Team82 in Rockwell Automation’s PowerMonitor 1000 can put factories and other organizations at risk if exploited. An attacker could take over or crash these devices, which are important in the overall function of an industrial company. Power monitors are used to monitor power consumption, and the data produced by these devices is important for optimization and analysis.
“Our research into PowerMonitor 1000 included an analysis of the device’s firmware and the real-time operating system and web interface underneath the covers,” Mens disclosed. “We found authentication bypass and memory corruption vulnerabilities that could allow an attacker to remotely execute code in some situations, crash the device, and take over its operation.”
She added that Team82 privately disclosed these vulnerabilities to Rockwell Automation and CISA. “Rockwell Automation published firmware updates late last year that address these vulnerabilities and urges users to upgrade to firmware revision 4.020.”
Noting that this research serves as a reminder that even seemingly innocuous devices like power monitors can become targets for malicious actors, Mens concluded that as industries increasingly rely on interconnected technologies, securing these devices is paramount. Organizations must prioritize security assessments, regular firmware updates, and strong authentication mechanisms to mitigate potential risks.
Last December, CISA announced that the Rockwell Automation PowerMonitor 1000 Remote was affected by multiple vulnerabilities, including an unprotected alternate channel, a heap-based buffer overflow, and a classic buffer overflow. If exploited, these vulnerabilities could allow an attacker to perform unauthorized edit operations, create administrative user accounts, execute a factory reset, run arbitrary code, or trigger a denial-of-service condition.
