Rockwell Automation FactoryTalk

Act Now9.8ICS-CERT ICSA-25-028-03Jan 28, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk View ME versions below 15.0 contain two access control and command injection vulnerabilities (CVE-2025-24479 and CVE-2025-24480) that allow remote code execution with elevated privileges. CVE-2025-24479 is mitigated by upgrading to V15.0 or applying patch AID 1152309. CVE-2025-24480 is mitigated by upgrading to V15.0 or applying patch AID 1152571, and by strictly constraining function parameters and protecting network access to the device. No known public exploitation has been reported.

What this means

What could happen

An attacker with network access to FactoryTalk View ME could execute arbitrary code with elevated privileges, potentially allowing them to modify automation logic, alter process parameters, or stop critical operations like water treatment or power distribution.

Who's at risk

Water utilities, electric utilities, and municipal plant operators who use Rockwell Automation FactoryTalk View ME (version below 15.0) for SCADA visualization and automation control. This includes operators of water treatment plants, distribution systems, and electric generation or distribution facilities that rely on FactoryTalk for real-time monitoring and command execution.

How it could be exploited

An attacker on the network could send a specially crafted request to FactoryTalk View ME (CVE-2025-24479 or CVE-2025-24480) that exploits insufficient access controls or command injection vulnerabilities. The device would execute the attacker's code with elevated system privileges, giving them direct control over the automation system.

Prerequisites

Network access to FactoryTalk View ME (port or service not specified in advisory)
FactoryTalk View ME version below 15.0 installed
No authentication required (CVSS vector PR:N indicates no privilege required)

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)Affects automation/visualization systems that control physical operationsModerate exploit probability (EPSS 2.4%)

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk View ME: <15.0<15.015.0

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDRestrict network access to FactoryTalk View ME using firewall rules; block inbound traffic from untrusted networks

HARDENINGControl and limit physical access to FactoryTalk View ME systems

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk View ME to version 15.0 or later

HOTFIXApply patch in AID 1152309 (for CVE-2025-24479) if immediate upgrade is not possible

HOTFIXApply patch in AID 1152571 (for CVE-2025-24480) if immediate upgrade is not possible

HARDENINGStrictly limit the parameters and functions that can be invoked on the device

Long-term hardening

0/2

HARDENINGSegment FactoryTalk View ME from business networks and the internet using network isolation and firewalls

HARDENINGIf remote access is required, use a VPN and keep it updated to the latest version

CVEs (2)

CVE-2025-24479 CVE-2025-24480

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb07c556-aea1-4ff2-8954-944d4bd1251f