Rockwell Automation FactoryTalk View Site Edition

Plan Patch7.3ICS-CERT ICSA-25-028-04Jan 28, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk View Site Edition versions prior to 15.0 contain two vulnerabilities: CVE-2025-24481 allows unauthenticated access to system configuration files due to improper file permissions (CWE-732), and CVE-2025-24482 allows execution of arbitrary DLL files with elevated privileges through PATH environment variable manipulation (CWE-94). Both require local or workstation-level access. These vulnerabilities are not remotely exploitable but could allow an attacker with access to the workstation to modify process configurations or inject malicious code into control system operations.

What this means

What could happen

An attacker with local access to a FactoryTalk View Site Edition workstation could read system configuration files and execute malicious DLL files with elevated privileges, potentially allowing them to modify process parameters or disable monitoring systems used to control industrial equipment.

Who's at risk

Water utilities and electric utilities running FactoryTalk View Site Edition as their primary HMI (human-machine interface) or engineering workstation for monitoring and controlling PLCs, RTUs, and other industrial control devices. This affects any organization using Rockwell Automation systems for SCADA or process monitoring below version 15.0.

How it could be exploited

An attacker would need physical or local network access to the FactoryTalk workstation. For CVE-2025-24481, they could access configuration files through improper permission settings. For CVE-2025-24482, they could exploit PATH environment variable ordering to inject a malicious DLL that gets executed with elevated privileges when the application loads.

Prerequisites

Local access to the FactoryTalk View Site Edition workstation or network access to Port 8091
No valid credentials required for CVE-2025-24481 configuration file access
Ability to write files to a location earlier in the system PATH for CVE-2025-24482

Improper permission settings on configuration filesDLL injection vulnerability via PATH manipulationNo authentication required to access configuration filesAffects workstations controlling critical infrastructureNo patch available for versions below 15.0

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk View Site Edition: <15.0<15.015.0

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDRestrict network access to Port 8091 at the firewall or host level to only authorized users and workstations

HARDENINGProtect physical access to FactoryTalk View Site Edition workstations with locked doors and access controls

HARDENINGVerify and correct the system PATH environment variable to ensure the FactoryTalk View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) appears before other paths

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk View Site Edition to version 15.0 or later

HOTFIXApply patch Answer ID 1152306 for CVE-2025-24481 if version 15.0 upgrade is not immediately possible

HOTFIXApply patch Answer ID 1152304 for CVE-2025-24482 if version 15.0 upgrade is not immediately possible

Long-term hardening

0/1

HARDENINGSegment FactoryTalk View Site Edition workstations from the Internet and general business networks using firewalls

CVEs (2)

CVE-2025-24481 CVE-2025-24482

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/178ba1cb-2f76-4771-8026-68ac204c6e0e