Rockwell Automation RSLogix 5000 7 through 20.01, and 21.0, does not properly implement password protection for .ACD files (aka project files), which allows local users to obtain sensitive information or modify data via unspecified vectors.
Fixes

Solution

According to Rockwell Automation, new RSLogix 5000 versions, V20.03 and V21.03, have been released that address this vulnerability. These releases include mitigations that enhance password protection. Project files created in earlier affected RSLogix 5000 versions of software must be opened, resaved, and then downloaded to the appropriate controller to mitigate the risk associated with this discovered vulnerability. IMPORTANT: Files with protected content that have been opened and update using enhanced software will no longer be compatible with earlier versions of RSLogix 5000 software. For example, a V20.01 project file with protected content that has been opened and resaved using V20.03 software can only be opened with V20.03 and higher versions of software. Also, a V21.00 project file with protected content that has been opened and resaved using V21.03 software can only be opened with V21.03 and higher versions of software. For the procedure to update project files, please refer to Rockwell Automation Knowledgebase AID:565204 available here:  https://rockwellautomation.custhelp.com/app/answers/detail/a_id/565204  . In addition to using current RSLogix 5000 software, Rockwell Automation also recommends the following actions to all concerned customers: * Where possible, adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivatives that contain protected content in the event that these files may need to be found or potentially disposed of in the future. * Where possible, securely archive protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, store protected ACD files in physical and logical locations where access can be controlled and the files are stored in a protected, potentially encrypted manner. * Where possible, securely transmit protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, email protected ACD files only to known recipients and encrypted the files such that only the target recipient can decrypt the content. * Where possible, restrict physical and network access to controllers containing protected content only to authorized parties in order to help prevent unauthorized uploading of protected material into an ACD file. For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a Role-based Access Control (RBAC) solution to their system. FactoryTalk Security was integrated into RSLogix 5000 Version 10.00. * Where possible, use a unique and complex password for each routine or Add-On Instruction desirable to protect, so as to reduce the risk that multiple files and protected content could be compromised, should a single password become learned. * Where possible, adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain usable for an extended period of time or indefinitely. Rockwell Automation encourages their customers to subscribe to Rockwell Automation’s Security Advisory Index (AID:54102)Rockwell Automation Knowledgebase AID:54102, https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 , Web site last accessed February 04, 2014. for new and relevant information relating to this and other security-related matters. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions Web site at http://www.rockwellautomation.com/solutions/security .


Workaround

No workaround given by the vendor.

History

Fri, 19 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
Title Rockwell RSLogix 5000 Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV2_0

{'score': 6.9, 'vector': 'AV:L/AC:M/Au:N/C:C/I:C/A:C'}

cvssV2_0

{'score': 6.3, 'vector': 'AV:L/AC:M/Au:N/C:C/I:C/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-09-19T18:46:05.180Z

Reserved: 2014-01-02T00:00:00

Link: CVE-2014-0755

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2014-02-05T05:15:29.930

Modified: 2025-09-19T19:15:35.777

Link: CVE-2014-0755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.