Rockwell Automation FactoryTalk

Plan PatchCVSS 9.8ICS-CERT ICSA-25-028-03Jan 28, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk View ME versions before 15.0 contain two vulnerabilities (CVE-2025-24479, CVE-2025-24480) that allow unauthenticated remote code execution with elevated privileges. CVE-2025-24479 can be exploited through direct access to the system; CVE-2025-24480 involves improper parameter validation on invoked functions. Successful exploitation allows an attacker to run arbitrary commands with elevated privileges on the device.

What this means

What could happen

An attacker could execute commands with elevated privileges on FactoryTalk View ME, potentially altering production schedules, process parameters, or causing equipment to stop responding to legitimate operator commands.

Who's at risk

Water authorities and electric utilities using FactoryTalk View ME (all versions before 15.0) as their SCADA or process monitoring interface are affected. This includes any organization using Rockwell Automation HMI/supervisory systems to manage pumps, generators, substations, or other critical infrastructure equipment.

How it could be exploited

An attacker on the network (or via the internet if the device is exposed) could send specially crafted requests to FactoryTalk View ME to trigger code execution with elevated privileges. No authentication is required, making the attack straightforward for anyone with network access to the device.

Prerequisites

Network access to the device (local network or internet-exposed)
No user credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects supervisory systems

Exploitability

Some exploitation risk — EPSS score 2.4%

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk View ME: <15.0<15.015.0

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to FactoryTalk View ME using firewall rules; allow connections only from known trusted engineering workstations or operator stations

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk View ME to version 15.0 or apply patch AID 1152309

HOTFIXUpdate FactoryTalk View ME to version 15.0 or apply patch AID 1152571

HARDENINGLimit function parameters passed to FactoryTalk View ME to only those required for normal operations

HARDENINGRestrict physical access to the device; allow only authorized personnel in control room or equipment area

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate FactoryTalk View ME and associated control systems from business networks and the internet

CVEs (2)

CVE-2025-24479 CVE-2025-24480

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb07c556-aea1-4ff2-8954-944d4bd1251f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.