Rockwell Automation FactoryTalk Linx Privilege Escalation Vulnerabilities via MSI Repair Functionality
Rockwell Automation has disclosed two high-severity privilege escalation vulnerabilities affecting its FactoryTalk Linx software, specifically related to the Microsoft Installer (MSI) repair functionality. The vulnerabilities, tracked as CVE-2025-9067 and CVE-2025-9068, impact both the x86 and x64 versions of the FactoryTalk Linx driver package. Authenticated attackers with valid Windows user credentials can exploit these flaws by initiating a repair operation on the MSI installer. During this process, the attacker can hijack the resulting console window, which is associated with the vbpinstall.exe process. This hijacking enables the attacker to launch a command prompt with SYSTEM-level privileges, granting them full access to all files, processes, and system resources on the affected system. The vulnerabilities are not remotely exploitable, requiring local access and valid credentials to carry out the attack. Rockwell Automation has acknowledged the issue and published a security advisory (SD1754) on October 14, 2025, outlining the risks and available mitigations. As of the advisory's publication, no official patch or correction has been released, but workarounds are available to reduce the risk of exploitation. The vulnerabilities have not been reported as known to be exploited in the wild at the time of disclosure. Both CVE-2025-9067 and CVE-2025-9068 were assigned a high CVSS score of 8.5, reflecting the significant risk posed by potential privilege escalation. The advisory emphasizes the importance of restricting access to systems running FactoryTalk Linx and ensuring that only trusted users have local access. Organizations are encouraged to review the provided workarounds and monitor for future updates regarding patches or permanent fixes. The vulnerabilities highlight the ongoing risks associated with installer repair functionalities, which can be abused for privilege escalation if not properly secured. Rockwell Automation's Product Security Incident Response Team (PSIRT) is the source of the vulnerability disclosures. The affected product versions have not been explicitly listed, but all users of FactoryTalk Linx are advised to assess their exposure. The advisory is part of Rockwell Automation's commitment to transparency and proactive security communication with its customers. Industrial organizations using FactoryTalk Linx should prioritize reviewing their security posture in light of these vulnerabilities. The disclosure underscores the need for robust access controls and monitoring on critical industrial automation systems. Ongoing vigilance and timely application of mitigations are essential to prevent potential exploitation of these privilege escalation flaws.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA issues ICS advisory for Rockwell FactoryTalk Linx flaws
CISA published advisory ICSA-25-289-02 covering CVE-2025-9067 and CVE-2025-9068, noting they are not remotely exploitable and that no public exploitation had been reported. The agency also provided mitigation and defense-in-depth guidance for affected industrial environments.
CVE-2025-9067 and CVE-2025-9068 are publicly listed
The two high-severity privilege escalation flaws, CVE-2025-9067 and CVE-2025-9068, were publicly cataloged as affecting Rockwell Automation FactoryTalk Linx. The issues allow authenticated attackers with valid Windows credentials to abuse MSI repair functionality and console window hijacking to gain SYSTEM-level privileges.
Rockwell Automation publishes FactoryTalk Linx advisory
Rockwell Automation disclosed two privilege escalation vulnerabilities in FactoryTalk Linx affecting version 6.40 and earlier, and advised customers to upgrade to version 6.50 or later and apply relevant Microsoft patches.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Rockwell Automation FactoryTalk Linx
cisa.gov
Open sourceCVE-2025-9068 - Rockwell Automation FactoryTalk® Linx Privilege Escalation Vulnerabilities
cvefeed.io
Open sourceCVE-2025-9067 - Rockwell Automation FactoryTalk® Linx Privilege Escalation Vulnerabilities
cvefeed.io
Open sourceFactoryTalk® Linx Privilege Escalation Vulnerabilities
rockwellautomation.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Vulnerabilities in Rockwell Automation FactoryTalk Products
Rockwell Automation has disclosed several high-severity vulnerabilities affecting its FactoryTalk product line, including FactoryTalk View Machine Edition, PanelView Plus 7, and FactoryTalk ViewPoint. One of the vulnerabilities, tracked as CVE-2025-9064, is a path traversal issue in FactoryTalk View Machine Edition that allows unauthenticated attackers on the same network to delete arbitrary files from the device’s operating system, provided they know the filenames. This vulnerability is remotely exploitable and could lead to significant disruption or loss of critical files on affected devices. The company’s advisory SD1753 confirms that both FactoryTalk View Machine Edition and PanelView Plus 7 are impacted by this flaw, and that mitigations and workarounds are available. Another critical vulnerability, CVE-2025-9066, affects FactoryTalk ViewPoint and enables unauthenticated attackers to exploit XML External Entity (XXE) processing via certain SOAP requests. Successful exploitation of this flaw can result in a temporary denial-of-service condition, potentially disrupting industrial operations. Rockwell Automation’s advisory SD1752 details the XXE vulnerability, noting that it was discovered internally during routine security testing and that no known exploitation in the wild has been reported. Both vulnerabilities have been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk to industrial environments where these products are deployed. The advisories state that patches and workarounds are available, and customers are urged to apply them promptly to mitigate risk. The company emphasizes that the vulnerabilities are not currently known to be exploited in the wild, but the potential impact on industrial control systems is significant due to the products’ widespread use. The advisories also highlight Rockwell Automation’s commitment to transparency and proactive security practices, as these issues were identified through internal testing rather than external reports. Customers are encouraged to review the official advisories and implement recommended mitigations, including network segmentation and limiting access to trusted users. The affected products are commonly used in industrial automation environments, making timely remediation critical to prevent potential operational disruptions. The advisories provide detailed technical information and guidance for system administrators to assess and address the vulnerabilities. Rockwell Automation has made available downloadable advisories in Vulnerability Exploitability Exchange format for integration with vulnerability management tools. The company’s response includes both immediate patches and suggested workarounds for environments where patching may not be immediately feasible. Organizations using FactoryTalk View Machine Edition, PanelView Plus 7, or FactoryTalk ViewPoint should prioritize reviewing their exposure and applying the recommended security measures.
Mar 21, 2026
Rockwell Automation ICS Products Hit by Authentication, Authorization, DoS, and RCE Flaws
CISA republished multiple Rockwell Automation advisories covering vulnerabilities across **FactoryTalk Analytics PavilionX**, **RSLinx Classic**, **CompactLogix 5370**, **Logix 5370/5570 controllers**, and **FLEX I/O EtherNet/IP Adapters** used in critical manufacturing environments worldwide. The issues include an authorization bypass in PavilionX (`CVE-2025-14272`) that could let an unauthenticated attacker perform privileged administrative actions, and a third-party flaw in RSLinx Classic (`CVE-2020-13573`) tied to out-of-bounds read and stack-based buffer overflow conditions that could cause denial of service or enable remote arbitrary code execution. Additional advisories detail multiple **CIP-related denial-of-service weaknesses** in CompactLogix and Logix controllers, including `CVE-2026-11317`, where crafted CIP messages can trigger major nonrecoverable faults requiring a program download, as well as sequence-number, source-IP, and connection-ID issues that can induce controller faults. CISA also warned that FLEX I/O EtherNet/IP Adapters version `2.012` are affected by `CVE-2026-0646`, which can fault devices through malformed CIP requests, and `CVE-2026-0647`, a critical authentication bypass in the embedded web server that allows password changes through a crafted HTTP GET request, potentially leading to account takeover and loss of availability; CISA said no known public exploitation had been reported and urged operators to isolate control networks, reduce internet exposure, and secure remote access with firewalls and updated VPNs.
Jun 19, 2026
Rockwell FactoryTalk DataMosaix SQL Injection Vulnerability
Rockwell Automation disclosed a high-severity SQL injection vulnerability (CVE-2025-12807) affecting its FactoryTalk® DataMosaix™ Private Cloud product. The flaw, discovered during internal testing, could allow attackers to tamper with industrial data or cause denial-of-service conditions impacting safety devices, with remediation requiring manual intervention. The company has released a security advisory detailing the issue, confirming that no known exploitation has occurred and providing guidance for customers to address the vulnerability. Security researchers highlighted the risk of data tampering and operational disruption in industrial environments due to this SQL injection flaw. The vulnerability underscores the importance of timely patching and manual remediation in critical infrastructure systems, as automated fixes are not available. Organizations using affected Rockwell products are urged to review the official advisory and implement recommended mitigations to protect against potential exploitation.
Mar 21, 2026