A severe authentication bypass vulnerability affects Rockwell Automation's 432ES-IG3 Series A industrial firewall, allowing remote attackers to gain administrative access without credentials. CISA has issued an advisory with mitigation guidance for critical infrastructure operators.
A critical authentication bypass vulnerability (CVE-2024-3273) has been identified in Rockwell Automation's 432ES-IG3 Series A industrial firewall, posing significant risk to operational technology networks. The vulnerability allows unauthenticated remote attackers to obtain administrative access to affected devices, potentially leading to complete network compromise.
Vulnerability Details
CVE-2024-3273 carries a CVSS v3.1 base score of 9.8 (Critical). The vulnerability exists in the web management interface of the 432ES-IG3 Series A firmware versions 3.0.0 through 3.4.2. Attackers can exploit this flaw by sending specially crafted HTTP requests to the authentication endpoint, bypassing credential validation entirely.
The affected product, Rockwell Automation 432ES-IG3 Series A, is a widely deployed industrial firewall used in manufacturing, energy, and critical infrastructure sectors. It provides network segmentation and security for industrial control systems, making it a high-value target for threat actors seeking to infiltrate OT environments.
Attack Vector and Impact
Exploitation requires network access to the device's management interface, which is typically exposed for remote administration. Once compromised, an attacker can:
- Modify firewall rules and network configurations
- Disable security controls
- Intercept or redirect industrial traffic
- Pivot to connected control systems
- Establish persistent access
This vulnerability is particularly dangerous in industrial environments where these firewalls serve as the primary defense between corporate IT networks and sensitive OT systems. A successful exploit could allow attackers to bypass air-gap architectures and directly target PLCs, HMIs, and other control devices.
Mitigation Steps
Rockwell Automation has released firmware version 3.5.0 to address this vulnerability. Organizations should immediately:
Update firmware to version 3.5.0 or later through the [Rockwell Automation Product Compatibility & Download Center](https://www.rockwellautomation.com/en-us/support/product compatibility center.html)
Isolate affected devices from internet access and restrict management interface exposure
Implement network monitoring to detect exploitation attempts, focusing on anomalous HTTP requests to /auth/login endpoints
Review firewall logs for suspicious activity, particularly authentication failures followed by configuration changes
Change default credentials if not already done, though this vulnerability bypasses credential checks entirely
Timeline
- Discovery: January 2024
- Vendor notification: February 2024
- CISA coordination: March 2024
- Public disclosure: April 16, 2024
- Patch release: April 15, 2024
Additional Resources
For complete technical details and mitigation guidance, refer to:
- CISA Advisory ICSA-24-106-01
- Rockwell Automation Security Advisory 432ES-IG3
- Rockwell Automation Product Page
CISA Recommendations
CISA strongly urges organizations to implement defense-in-depth strategies for industrial control systems, including:
- Network segmentation following IEC 62443 standards
- Regular security assessments of OT infrastructure
- Incident response plans specific to industrial environments
- Coordination with ICS-CERT for vulnerability reporting
Immediate action is recommended given the critical nature of this vulnerability and its potential impact on industrial operations.
Comments
Please log in or register to join the discussion