Multiple High-Severity Vulnerabilities in Rockwell Automation FactoryTalk Products
Rockwell Automation has disclosed several high-severity vulnerabilities affecting its FactoryTalk product line, including FactoryTalk View Machine Edition, PanelView Plus 7, and FactoryTalk ViewPoint. One of the vulnerabilities, tracked as CVE-2025-9064, is a path traversal issue in FactoryTalk View Machine Edition that allows unauthenticated attackers on the same network to delete arbitrary files from the device’s operating system, provided they know the filenames. This vulnerability is remotely exploitable and could lead to significant disruption or loss of critical files on affected devices. The company’s advisory SD1753 confirms that both FactoryTalk View Machine Edition and PanelView Plus 7 are impacted by this flaw, and that mitigations and workarounds are available. Another critical vulnerability, CVE-2025-9066, affects FactoryTalk ViewPoint and enables unauthenticated attackers to exploit XML External Entity (XXE) processing via certain SOAP requests. Successful exploitation of this flaw can result in a temporary denial-of-service condition, potentially disrupting industrial operations. Rockwell Automation’s advisory SD1752 details the XXE vulnerability, noting that it was discovered internally during routine security testing and that no known exploitation in the wild has been reported. Both vulnerabilities have been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk to industrial environments where these products are deployed. The advisories state that patches and workarounds are available, and customers are urged to apply them promptly to mitigate risk. The company emphasizes that the vulnerabilities are not currently known to be exploited in the wild, but the potential impact on industrial control systems is significant due to the products’ widespread use. The advisories also highlight Rockwell Automation’s commitment to transparency and proactive security practices, as these issues were identified through internal testing rather than external reports. Customers are encouraged to review the official advisories and implement recommended mitigations, including network segmentation and limiting access to trusted users. The affected products are commonly used in industrial automation environments, making timely remediation critical to prevent potential operational disruptions. The advisories provide detailed technical information and guidance for system administrators to assess and address the vulnerabilities. Rockwell Automation has made available downloadable advisories in Vulnerability Exploitability Exchange format for integration with vulnerability management tools. The company’s response includes both immediate patches and suggested workarounds for environments where patching may not be immediately feasible. Organizations using FactoryTalk View Machine Edition, PanelView Plus 7, or FactoryTalk ViewPoint should prioritize reviewing their exposure and applying the recommended security measures.
Sources
Related Stories
Multiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
5 months agoRockwell FactoryTalk DataMosaix SQL Injection Vulnerability
Rockwell Automation disclosed a high-severity SQL injection vulnerability (CVE-2025-12807) affecting its FactoryTalk® DataMosaix™ Private Cloud product. The flaw, discovered during internal testing, could allow attackers to tamper with industrial data or cause denial-of-service conditions impacting safety devices, with remediation requiring manual intervention. The company has released a security advisory detailing the issue, confirming that no known exploitation has occurred and providing guidance for customers to address the vulnerability. Security researchers highlighted the risk of data tampering and operational disruption in industrial environments due to this SQL injection flaw. The vulnerability underscores the importance of timely patching and manual remediation in critical infrastructure systems, as automated fixes are not available. Organizations using affected Rockwell products are urged to review the official advisory and implement recommended mitigations to protect against potential exploitation.
3 months agoDenial-of-Service Vulnerabilities in Rockwell Automation 1715 EtherNet/IP Comms Module
Rockwell Automation has disclosed two denial-of-service (DoS) vulnerabilities affecting its 1715 EtherNet/IP Comms Module, specifically versions 3.003 and prior. The vulnerabilities, identified as CVE-2025-9177 and CVE-2025-9178, were detailed in advisories released by both Rockwell Automation and the Cybersecurity and Infrastructure Security Agency (CISA) on October 14, 2025. The first vulnerability involves allocation of resources without limits or throttling (CWE-770), which allows a remote attacker to crash the web server by sending a high volume of requests. Although this crash does not impact I/O control or communication, a power cycle is required to restore web server functionality. The second vulnerability is an out-of-bounds write (CWE-787) that can be triggered through crafted CIP communication payloads, also resulting in a denial-of-service condition. Both vulnerabilities are exploitable remotely with low attack complexity, and no user interaction or privileges are required for exploitation. CISA assigned a CVSS v4 base score of 7.7 to CVE-2025-9177, indicating a high severity risk. Rockwell Automation has confirmed that these vulnerabilities have not been exploited in the wild as of the advisory date. The company has released corrected versions to address the issues, but no workarounds are available for affected systems. CISA has urged users and administrators of the 1715 EtherNet/IP Comms Module to review the advisories and apply mitigations as soon as possible. The vulnerabilities do not affect the core operational functions of the module, but the loss of web server access could hinder remote management and monitoring. Both advisories emphasize the importance of timely patching and following best practices for securing industrial control systems. The vulnerabilities highlight ongoing risks in industrial automation environments, where denial-of-service attacks can disrupt visibility and management even if core processes remain unaffected. Organizations using the affected modules are advised to assess their exposure and implement the recommended updates. The advisories also serve as a reminder of the need for robust network segmentation and monitoring in operational technology environments. Rockwell Automation has provided detailed technical information and remediation guidance in its product advisory. CISA’s alert reinforces the urgency of addressing these vulnerabilities to prevent potential operational disruptions. The coordinated disclosure and response demonstrate the critical role of vendor and government collaboration in protecting industrial control systems.
5 months ago