OTPulse

Rockwell Automation FactoryTalk View Site Edition

Plan PatchCVSS 7.3ICS-CERT ICSA-25-028-04Jan 28, 2025
Rockwell Automation
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Rockwell Automation FactoryTalk View Site Edition versions below 15.0 contain two vulnerabilities: CVE-2025-24481 allows unauthenticated local access to system configuration files, and CVE-2025-24482 enables execution of arbitrary DLLs with elevated privileges through improper PATH environment variable handling. Both vulnerabilities require local access to the engineering workstation. Configuration files may contain sensitive information about automation processes, setpoints, and system architecture. DLL execution with elevated privileges could allow code to run with administrative permissions, bypassing normal access controls on the engineering workstation and potentially affecting connected systems.

What this means
What could happen
An attacker with local access to a FactoryTalk View SE workstation could read system configuration files containing sensitive data and execute malicious code with elevated privileges, potentially compromising the integrity of HMI functionality and automation logic.
Who's at risk
FactoryTalk View Site Edition operators and engineering teams who maintain HMI systems at water utilities, electric distribution, manufacturing plants, and other critical infrastructure facilities. This affects engineering workstations running vulnerable versions below 15.0 that have local user access or are connected to less-isolated networks.
How it could be exploited
An attacker must first gain local access to the FactoryTalk View SE workstation (via physical access, compromised local account, or lateral movement from a connected network). Once local, the attacker can access unprotected configuration files to extract sensitive information, and exploit DLL loading to execute code with elevated privileges by manipulating the PATH environment variable or directly accessing port 8091 if exposed on the network.
Prerequisites
  • Local access to the workstation running FactoryTalk View SE version below 15.0
  • Standard user-level privileges (no authentication required for configuration file access)
  • Ability to manipulate environment variables or direct network access to port 8091 if exposed
Local access required (not remotely exploitable)No authentication required to access configuration filesLow complexity exploitationAffects engineering workstations (not directly OT devices but controls them)Potential access to system configuration and sensitive process data
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk View Site Edition: <15.0<15.015.0
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDRestrict network access to port 8091 using firewall rules or workstation network policies to allow only trusted engineering workstations
HARDENINGReview and correct the system PATH environment variable to ensure the FactoryTalk View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) appears before any other library paths
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk View Site Edition to version 15.0 or apply patch (Answer ID 1152306 for CVE-2025-24481, Answer ID 1152304 for CVE-2025-24482)
Long-term hardening
0/2
HARDENINGImplement physical access controls to FactoryTalk View SE workstations to prevent unauthorized local access
HARDENINGIsolate FactoryTalk View SE workstations and engineering networks from general business networks using network segmentation and firewalls
View full CISA ICS-CERT advisory
API: /api/v1/advisories/178ba1cb-2f76-4771-8026-68ac204c6e0e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.