Emerson Emerson

  1. Vendors
  2. Emerson

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Emerson product.

RSS Feeds for Emerson security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Emerson products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Emerson Sorted by Most Security Vulnerabilities since 2018

Emerson Deltav8 vulnerabilities

Emerson Data Record Ad2 vulnerabilities

Emerson Systemlink Server2 vulnerabilities

Emerson Sts Software Bundle2 vulnerabilities

Emerson Static Test Software Suite2 vulnerabilities

Emerson Specification Compliance Manager2 vulnerabilities

Emerson Labview Nxg2 vulnerabilities

Emerson G Web Development Software2 vulnerabilities

Emerson Flexlogger2 vulnerabilities

Emerson Dixell Xweb 500 Firmware2 vulnerabilities

By the Year

In 2026 there have been 1 vulnerability in Emerson with an average score of 8.4 out of ten. Emerson did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 1 8.40
2025 0 0.00
2024 2 7.80
2023 0 0.00
2022 18 6.96
2021 4 6.98
2020 2 0.00
2019 1 6.50
2018 6 0.00

It may take a day or so for new Emerson vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Emerson Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2022-50930 Jan 13, 2026
Unquoted Service Path in Emerson PAC Machine Edition 9.80 TrapiServer Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup.
CVE-2024-1155 Feb 20, 2024
Privilege Escal via Incorrect Dir Perms in NI SystemLink Elixir Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access.
Specification Compliance Manager
Sts Software Bundle
Data Record Ad
And others...
CVE-2024-1156 Feb 20, 2024
NI RabbitMQ Dir Perms Leak Incorrect directory permissions for the shared NI RabbitMQ service may allow a local authenticated user to read RabbitMQ configuration information and potentially enable escalation of privileges.
Specification Compliance Manager
Sts Software Bundle
Data Record Ad
And others...
CVE-2022-2791 Nov 22, 2022
Proficy Machine Edition <9.00 Unrestricted File Upload (CWE-434) Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-434 Unrestricted Upload of File with Dangerous Type, and will upload any file written into the PLC logic folder to the connected PLC.
Proficy
CVE-2022-2789 Aug 19, 2022
Proficy Machine Edition <9.0 CVE-2022-2789 CWE-345 Data Auth. Verification Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-345 Insufficient Verification of Data Authenticity, and can display logic that is different than the compiled logic.
Electrics Proficy
CVE-2022-2790 Aug 19, 2022
Proficy Machine Edition 9.00 Improper Crypto Signature Verification (CWE347) Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-347 Improper Verification of Cryptographic Signature, and does not properly verify compiled logic (PDT files) and data blocks data (BLD/BLK files).
Electrics Proficy
CVE-2022-2792 Aug 19, 2022
Proficy ME v9.00 & prior Improper ACL on Project Data Dir Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists.
Electrics Proficy
CVE-2022-2793 Aug 19, 2022
Emerson Proficy Machine Edition v9.00 SRTP Integrity Check Failure Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol.
Electrics Proficy
CVE-2022-2788 Aug 19, 2022
Proficy Machine Edition 9.8 Path Traversal (ZipSlip) via Upload Procedure Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.
Electrics Proficy
CVE-2022-29959 Aug 16, 2022
Emerson OpenBSI Credential Storage Flaw (CVE-2022-29959) Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism.
Openbsi
CVE-2022-29960 Jul 26, 2022
Emerson OpenBSI WEAK DES Cryptography Vulnerability Emerson OpenBSI through 2022-04-29 uses weak cryptography. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. DES with hardcoded cryptographic keys is used for protection of certain system credentials, engineering files, and sensitive utilities.
Openbsi
CVE-2022-29965 Jul 26, 2022
DeltaV DCS TELNET Password Replay Enables Privilege Escalation The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. Access to privileged operations on the maintenance port TELNET interface (23/TCP) on M-series and SIS (CSLS/LSNB/LSNG) nodes is controlled by means of utility passwords. These passwords are generated using a deterministic, insecure algorithm using a single seed value composed of a day/hour/minute timestamp with less than 16 bits of entropy. The seed value is fed through a lookup table and a series of permutation operations resulting in three different four-character passwords corresponding to different privilege levels. An attacker can easily reconstruct these passwords and thus gain access to privileged maintenance operations. NOTE: this is different from CVE-2014-2350.
Deltav Distributed Control System
CVE-2022-29957 Jul 26, 2022
Emerson DeltaV DCS Auth Bypass via Unsecured Protocols The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
Deltav Distributed Control System Firmware
Deltav Distributed Control System
CVE-2020-16235 May 19, 2022
Inadequate encryption may Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained.
Openenterprise Scada Server
CVE-2020-10640 Feb 24, 2022
Emerson OpenEnterprise versions through 3.3.4 may Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service.
Openenterprise Scada Server
CVE-2020-10636 Feb 24, 2022
Inadequate encryption may Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained.
Openenterprise Scada Server
CVE-2020-10632 Feb 24, 2022
Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner.
Openenterprise Scada Server
CVE-2021-45421 Feb 14, 2022
Emerson Dixell XWEB-500 products are affected by information disclosure via directory listing Emerson Dixell XWEB-500 products are affected by information disclosure via directory listing. A potential attacker can use this misconfiguration to access all the files in the remote directories. Note: the product has not been supported since 2018 and should be removed or replaced
Dixell Xweb 500 Firmware
CVE-2021-45420 Feb 14, 2022
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note: the product has not been supported since 2018 and should be removed or replaced
Dixell Xweb 500 Firmware
CVE-2021-26264 Jan 28, 2022
A specially crafted script could cause the DeltaV Distributed Control System Controllers (All Versions) to restart A specially crafted script could cause the DeltaV Distributed Control System Controllers (All Versions) to restart and cause a denial-of-service condition.
Deltav Workstation
Deltav Distributed Control System
CVE-2021-44463 Jan 28, 2022
Missing DLLs, if replaced by an insider, could Missing DLLs, if replaced by an insider, could allow an attacker to achieve local privilege escalation on the DeltaV Distributed Control System Controllers and Workstations (All versions) when some DeltaV services are started.
Deltav
CVE-2020-12030 Sep 29, 2021
There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.
CVE-2021-29297 Jul 30, 2021
Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe" in the module "MSVCR100.dll".
Proficy Machine Edition
CVE-2021-29298 Jul 30, 2021
Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack to the component "FrameworX.exe"in the module "fxVPStatcTcp.dll".
Proficy Machine Edition
CVE-2020-12525 Jan 22, 2021
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage. M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
Rosemount Transmitter Interface Software
CVE-2020-6971 Mar 05, 2020
In Emerson ValveLink v12.0.264 to v13.4.118, a vulnerability in the ValveLink software may In Emerson ValveLink v12.0.264 to v13.4.118, a vulnerability in the ValveLink software may allow a local, unprivileged, trusted insider to escalate privileges due to insecure configuration parameters.
Valvelink
CVE-2020-6970 Feb 19, 2020
A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3 A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3, where a specially crafted script could execute code on the OpenEnterprise Server.
Openenterprise Scada Server
CVE-2018-19021 Jan 25, 2019
A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.
Deltav Distributed Control System
Deltav
CVE-2018-14808 Oct 01, 2018
Emerson AMS Device Manager v12.0 to v13.5 Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products.
Ams Device Manager
CVE-2018-14804 Oct 01, 2018
Emerson AMS Device Manager v12.0 to v13.5 Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution.
Ams Device Manager
CVE-2018-14797 Aug 23, 2018
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution.
Deltav Distributed Control System
Deltav
CVE-2018-14791 Aug 23, 2018
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products.
Deltav Distributed Control System
Deltav
CVE-2018-14795 Aug 21, 2018
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable due to improper path validation which may DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable due to improper path validation which may allow an attacker to replace executable files.
Deltav
CVE-2018-14793 Aug 21, 2018
DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable to a buffer overflow exploit through an open communication port to DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable to a buffer overflow exploit through an open communication port to allow arbitrary code execution.
Deltav
CVE-2014-2349 May 22, 2014
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.
Deltav
CVE-2014-2350 May 22, 2014
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.
Deltav
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.