Rockwell Automation FactoryTalk AssetCentre
Act Now9.8ICS-CERT ICSA-25-030-05Jan 30, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
FactoryTalk AssetCentre versions below 15.00.01 contain multiple vulnerabilities related to weak encryption of stored credentials (CVE-2025-0477) and privilege escalation flaws in utility functions (CVE-2025-0497, CVE-2025-0498). Successful exploitation allows an attacker to extract passwords, access credentials, or impersonate other users with access to engineering workstations and automation systems. Affected utilities include LogCleanUp, ArchiveLogCleanUp, EventLogAttachmentExtractor, and ArchiveExtractor in legacy versions.
What this means
What could happen
An attacker could extract stored passwords and credentials from the FactoryTalk AssetCentre database, enabling unauthorized access to engineering workstations, PLCs, and other automation systems. This could allow an attacker to modify process parameters, disable safety controls, or disrupt plant operations.
Who's at risk
FactoryTalk AssetCentre administrators and operators at any facility using versions below 15.00.01. This affects manufacturers, water utilities, electric utilities, and any facility using Rockwell Automation systems for engineering workstation management and automation asset inventory. The vulnerability directly impacts any plant that relies on FactoryTalk AssetCentre to manage credentials for access to PLCs, drives, and other control devices.
How it could be exploited
An attacker with network access to the FactoryTalk AssetCentre database or the machine hosting it could exploit weak encryption of stored credentials (CVE-2025-0477) or local privilege escalation vulnerabilities (CVE-2025-0497, CVE-2025-0498) to extract plaintext passwords or impersonate legitimate users. Once credentials are obtained, the attacker can log in to engineering workstations and control systems.
Prerequisites
- Network access to FactoryTalk AssetCentre database server on affected versions below 15.00.01
- For CVE-2025-0497/0498: Local access or ability to execute code on the AssetCentre machine
- Access to the database table storing encrypted credentials
Remotely exploitable via network access to databaseNo authentication required for some attack pathsLow complexity exploitCritical CVSS score (9.8)High confidentiality and integrity impactAffects systems that manage credentials for all automation devicesNo patch available for versions significantly below 15.00.01
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk AssetCentre: <V15.00.001<V15.00.00115.00.01
Remediation & Mitigation
0/5
Do now
0/2HARDENINGRestrict network access to the FactoryTalk AssetCentre database to only authorized engineering workstations and automation systems using firewall rules or database access controls
HARDENINGRestrict physical access to the FactoryTalk AssetCentre machine to authorized personnel only
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate FactoryTalk AssetCentre to version 15.00.01 or later
HOTFIXFor legacy versions unable to update immediately: Install Rockwell Automation January 2025 monthly patch rollup or later to patch LogCleanUp and ArchiveLogCleanUp utilities
HOTFIXFor legacy versions: Download and apply patch files from article BF31148 for EventLogAttachmentExtractor and ArchiveExtractor utilities
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/99d76c75-d9ec-40e2-8a63-c0c35be35fd6