Two critical vulnerabilities in Rockwell Automation's Verve Asset Manager have been disclosed, exposing plaintext secrets in retired components and posing significant risks to operational technology (OT) environments. These security flaws, tracked as CVE-2024-21873 and CVE-2024-21874, affect versions 7.0.0 through 7.3.0 of the industrial asset management platform, revealing sensitive information that could enable attackers to compromise industrial control systems. The vulnerabilities specifically impact retired, optional components that many organizations continue to run despite their deprecated status—a common but dangerous practice in industrial environments where system stability often takes precedence over security updates.

The Technical Details of the Vulnerabilities

According to security researchers and Rockwell Automation's official advisory, the vulnerabilities exist in two specific retired components of Verve Asset Manager. CVE-2024-21873 (CVSS score: 7.5) involves the exposure of plaintext credentials in configuration files for the Verve Industrial Networks (VIN) component, which was retired in version 7.2.0. This component, when present in systems upgraded from earlier versions, stores authentication credentials in cleartext within accessible configuration files. Attackers with local access to the system could extract these credentials and potentially gain elevated privileges or move laterally within the OT network.

CVE-2024-21874 (CVSS score: 6.5) affects the retired Asset Centre Integration component, exposing sensitive information through debug logs. This vulnerability allows authenticated users to view debug information containing secrets that should remain protected. While requiring authentication, this flaw could be exploited by malicious insiders or attackers who have already gained some level of access to the system. Both vulnerabilities highlight the persistent risks associated with maintaining deprecated components in industrial software ecosystems.

Why Legacy Components Pose Persistent OT Security Risks

The continued operation of retired components represents a significant security challenge in industrial environments. Unlike traditional IT systems where deprecated features are typically removed or disabled, OT environments often maintain legacy functionality due to operational requirements, compatibility concerns, and the critical nature of industrial processes. Many organizations running Verve Asset Manager have upgraded from earlier versions without removing these retired components, creating security blind spots that attackers can exploit.

Industrial control systems frequently operate on extended lifecycles, with some components remaining in service for decades. This longevity creates a complex security landscape where modern security practices must coexist with legacy systems. The Verve Asset Manager vulnerabilities demonstrate how security gaps can persist even in updated systems when deprecated components remain active. According to cybersecurity experts specializing in OT environments, this pattern is alarmingly common across industrial sectors, from manufacturing and energy to critical infrastructure.

The Industrial Cybersecurity Context

Verve Asset Manager serves as a critical component in industrial cybersecurity architectures, providing asset discovery, vulnerability management, and compliance reporting for OT environments. The platform helps organizations maintain visibility into their industrial assets, track vulnerabilities, and demonstrate compliance with industry standards. However, the very tool designed to enhance security now contains vulnerabilities that could undermine its protective functions.

The exposure of plaintext secrets in industrial environments carries particularly severe consequences. Unlike traditional IT systems where credential exposure might lead to data breaches, in OT environments, compromised credentials could enable attackers to manipulate physical processes, disrupt critical infrastructure, or cause safety incidents. The interconnected nature of modern industrial systems means that a compromise in one component could cascade through multiple systems, potentially affecting production lines, power generation, or other critical operations.

Patching and Mitigation Strategies

Rockwell Automation has released version 7.4.0 of Verve Asset Manager to address these vulnerabilities, with patches also available for affected versions. The company recommends that all users upgrade to version 7.4.0 or apply the relevant security patches immediately. For organizations that cannot immediately patch, Rockwell provides several mitigation strategies:

  • Remove retired components: Completely uninstall the Verve Industrial Networks (VIN) and Asset Centre Integration components if they are no longer required for operations
  • Restrict access: Implement strict access controls to limit who can interact with Verve Asset Manager systems
  • Network segmentation: Isolate Verve Asset Manager systems within properly segmented network zones
  • Monitoring and logging: Enhance monitoring of authentication attempts and access to configuration files
  • Credential rotation: Change all credentials that may have been exposed through these vulnerabilities

Security researchers emphasize that simply applying patches may not be sufficient. Organizations must also assess whether the retired components are truly necessary for their operations and remove them if possible. This requires careful planning in industrial environments where system changes can impact production processes.

The Broader Implications for OT Security

These vulnerabilities in Verve Asset Manager highlight several broader challenges in industrial cybersecurity:

1. Legacy System Management: Industrial organizations must develop more robust strategies for managing deprecated components, balancing operational requirements with security considerations. This includes establishing clear policies for component retirement, removal procedures, and ongoing risk assessment for legacy features.

2. Secrets Management in OT: The exposure of plaintext credentials underscores the need for improved secrets management practices in industrial environments. While secrets management solutions are common in IT environments, their adoption in OT lags behind. Industrial organizations should implement dedicated secrets management solutions designed for OT constraints and requirements.

3. Supply Chain Security: As industrial software becomes increasingly complex with multiple integrated components, vulnerabilities in any part of the software stack can compromise the entire system. Organizations must extend their security assessments to include all software components, even those marked as optional or retired.

4. Patching Challenges in OT: The critical nature of industrial processes often makes patching more challenging than in traditional IT environments. Organizations need to develop specialized patching strategies that account for production schedules, safety requirements, and the unique characteristics of industrial control systems.

Expert Recommendations for Industrial Organizations

Cybersecurity experts specializing in OT environments recommend several proactive measures beyond immediate patching:

  • Conduct comprehensive asset inventories: Ensure complete visibility of all industrial assets, including software components and their versions
  • Implement regular security assessments: Conduct specialized security assessments focused on OT systems and their unique vulnerabilities
  • Develop OT-specific incident response plans: Create response procedures tailored to industrial environments where safety and continuity are paramount
  • Enhance security training: Provide specialized security training for OT personnel that addresses the unique challenges of industrial systems
  • Establish vendor security requirements: Include specific security requirements in procurement processes for industrial software and equipment

The Future of OT Security

The disclosure of these vulnerabilities in Verve Asset Manager comes at a time of increasing focus on industrial cybersecurity. Regulatory frameworks, industry standards, and customer requirements are driving improved security practices across industrial sectors. However, the persistence of vulnerabilities in retired components suggests that more work is needed to address the unique challenges of OT environments.

Looking forward, several trends are likely to shape OT security:

  • Increased automation of security processes: As industrial networks grow more complex, automated security tools will become essential for maintaining visibility and control
  • Convergence of IT and OT security: Organizations will increasingly integrate their IT and OT security functions to create more cohesive defense strategies
  • Enhanced focus on secure development: Industrial software vendors will need to implement more rigorous secure development practices throughout the software lifecycle
  • Growing regulatory pressure: New regulations and standards will continue to raise the bar for industrial cybersecurity

Conclusion: A Wake-Up Call for Industrial Cybersecurity

The vulnerabilities in Rockwell Automation's Verve Asset Manager serve as a critical reminder of the persistent security challenges in industrial environments. The exposure of plaintext secrets in retired components highlights how security gaps can emerge even in updated systems when legacy features remain active. For OT teams, these vulnerabilities represent more than just another patch to apply—they underscore the need for comprehensive security strategies that address the unique characteristics of industrial systems.

Industrial organizations must move beyond reactive patching to develop proactive security postures that account for legacy systems, operational constraints, and the critical nature of industrial processes. This includes establishing clear policies for component management, implementing robust secrets management practices, and developing specialized security capabilities for OT environments. As industrial systems become increasingly connected and critical to daily life, the security of these systems becomes not just an operational concern but a societal imperative.

The path forward requires collaboration between industrial organizations, software vendors, security researchers, and regulators to build more resilient industrial ecosystems. By learning from incidents like the Verve Asset Manager vulnerabilities and implementing comprehensive security improvements, the industrial sector can better protect the critical infrastructure that underpins modern society.