CVE-2020-24681 - Vulnerability Details - OpenCVE

Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00077.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Br-automation	Automation Studio
Microsoft	Windows

Configuration 1 [-]

AND

OR	cpe:2.3:a:br-automation:automation_studio::::::::
	cpe:2.3:a:br-automation:automation_studio::::::::
	cpe:2.3:a:br-automation:automation_studio::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-17395	Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.

Fixes

Solution

No solution given by the vendor.

Workaround

B&R has identified the following specific workarounds and mitigations. Users of B&R Automation Studio and PVI may manually reconfigure permission settings on these services to allow modification only for privileged users. Additionally, it is recommended to limit access to the workstation running B&R Automation Studio and PVI to authorized users.

References

Link	Providers
https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf

History

Fri, 09 May 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: ABB

Published: 2024-02-02T06:58:24.173Z

Updated: 2025-05-09T17:52:17.145Z

Reserved: 2020-08-26T00:00:00.000Z

Link: CVE-2020-24681

Vulnrichment

Updated: 2024-08-04T15:19:09.083Z

NVD

Status : Modified

Published: 2024-02-02T07:15:07.333

Modified: 2024-11-21T05:15:44.440

Link: CVE-2020-24681

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2020-24681", "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "state": "PUBLISHED", "assignerShortName": "ABB", "dateReserved": "2020-08-26T00:00:00.000Z", "datePublished": "2024-02-02T06:58:24.173Z", "dateUpdated": "2025-05-09T17:52:17.145Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Automation Studio", "vendor": "B&R Industrial Automation", "versions": [{"lessThanOrEqual": "4.6.x", "status": "affected", "version": "4.6.0", "versionType": "custom"}, {"lessThan": "4.7.7 SP", "status": "affected", "version": "4.7.0", "versionType": "custom"}, {"lessThan": "4.8.6 SP", "status": "affected", "version": "4.8.0", "versionType": "custom"}, {"lessThan": "4.9.4 SP", "status": "affected", "version": "4.9.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "NET/PVI", "vendor": "B&R Industrial Automation", "versions": [{"lessThanOrEqual": "4.6.x", "status": "affected", "version": "4.6.0", "versionType": "custom"}, {"lessThan": "4.7.7", "status": "affected", "version": "4.7.0", "versionType": "custom"}, {"lessThan": "4.8.6", "status": "affected", "version": "4.8.0", "versionType": "custom"}, {"lessThan": "4.9.4", "status": "affected", "version": "4.9.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "B&R would like to thank the following for working with us to help protect our customers: Mr. Andrew Hofmans"}], "datePublic": "2021-11-29T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.<p>This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.</p>"}], "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.\n\n"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB", "dateUpdated": "2024-02-02T06:58:24.173Z"}, "references": [{"url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf"}], "source": {"discovery": "UNKNOWN"}, "title": "Automation Studio and PVI Multiple incorrect permission assignments for services", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nB&R has identified the following specific workarounds and mitigations.\nUsers of B&R Automation Studio and PVI may manually reconfigure permission settings on these \nservices to allow modification only for privileged users.\nAdditionally, it is recommended to limit access to the workstation running B&R Automation Studio and PVI \nto authorized users.\n\n\n<br>"}], "value": "\nB&R has identified the following specific workarounds and mitigations.\nUsers of B&R Automation Studio and PVI may manually reconfigure permission settings on these \nservices to allow modification only for privileged users.\nAdditionally, it is recommended to limit access to the workstation running B&R Automation Studio and PVI \nto authorized users.\n\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:09.083Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-02T17:22:16.797450Z", "id": "CVE-2020-24681", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T17:52:17.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:09.083Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-24681", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-02T17:22:16.797450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T17:52:08.125Z"}}], "cna": {"title": "Automation Studio and PVI Multiple incorrect permission assignments for services", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "B&R would like to thank the following for working with us to help protect our customers: Mr. Andrew Hofmans"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "B&R Industrial Automation", "product": "Automation Studio", "versions": [{"status": "affected", "version": "4.6.0", "versionType": "custom", "lessThanOrEqual": "4.6.x"}, {"status": "affected", "version": "4.7.0", "lessThan": "4.7.7 SP", "versionType": "custom"}, {"status": "affected", "version": "4.8.0", "lessThan": "4.8.6 SP", "versionType": "custom"}, {"status": "affected", "version": "4.9.0", "lessThan": "4.9.4 SP", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "B&R Industrial Automation", "product": "NET/PVI", "versions": [{"status": "affected", "version": "4.6.0", "versionType": "custom", "lessThanOrEqual": "4.6.x"}, {"status": "affected", "version": "4.7.0", "lessThan": "4.7.7", "versionType": "custom"}, {"status": "affected", "version": "4.8.0", "lessThan": "4.8.6", "versionType": "custom"}, {"status": "affected", "version": "4.9.0", "lessThan": "4.9.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2021-11-29T18:30:00.000Z", "references": [{"url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf"}], "workarounds": [{"lang": "en", "value": "\nB&R has identified the following specific workarounds and mitigations.\nUsers of B&R Automation Studio and PVI may manually reconfigure permission settings on these \nservices to allow modification only for privileged users.\nAdditionally, it is recommended to limit access to the workstation running B&R Automation Studio and PVI \nto authorized users.\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\nB&R has identified the following specific workarounds and mitigations.\nUsers of B&R Automation Studio and PVI may manually reconfigure permission settings on these \nservices to allow modification only for privileged users.\nAdditionally, it is recommended to limit access to the workstation running B&R Automation Studio and PVI \nto authorized users.\n\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.\n\n", "supportingMedia": [{"type": "text/html", "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.<p>This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB", "dateUpdated": "2024-02-02T06:58:24.173Z"}}}, "cveMetadata": {"cveId": "CVE-2020-24681", "state": "PUBLISHED", "dateUpdated": "2025-05-09T17:52:17.145Z", "dateReserved": "2020-08-26T00:00:00.000Z", "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "datePublished": "2024-02-02T06:58:24.173Z", "assignerShortName": "ABB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "96888691-48DD-4173-B526-A325B8433F1B", "versionEndExcluding": "4.7.7.74", "versionStartIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "04F8420B-E58C-4C17-B47B-15356571E650", "versionEndExcluding": "4.8.6.30", "versionStartIncluding": "4.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "0515B5D7-8B71-4D6E-B0E1-4E61B930A54E", "versionEndExcluding": "4.9.4.92", "versionStartIncluding": "4.9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.\n\n"}, {"lang": "es", "value": "La asignaci\u00f3n de permisos incorrecta para la vulnerabilidad de recursos cr\u00edticos en B&R Industrial Automation Automation Studio permite la escalada de privilegios. Este problema afecta a Automation Studio: desde 4.6.0 hasta 4.6.X, desde 4.7.0 antes de 4.7.7 SP, desde 4.8.0 antes de 4.8.6 SP, desde 4.9.0 anterior a 4.9.4 SP."}], "id": "CVE-2020-24681", "lastModified": "2024-11-21T05:15:44.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-02T07:15:07.333", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.br-automation.com/fileadmin/2021-14-BR-AS-NET-PVI-Service-Issues-c3710fbf.pdf"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}