Rockwell FactoryTalk Linx

Plan PatchCVSS 9ICS-CERT ICSA-25-226-24Aug 14, 2025

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A privilege escalation vulnerability in FactoryTalk Linx (CWE-284) allows an attacker with local access to create, update, and delete FTLinx drivers without proper authorization checks. This affects FactoryTalk Linx versions prior to 6.50. FactoryTalk Linx Network is affected in all versions with no patch planned. Successful exploitation could disrupt communication between engineering tools and PLCs or alter driver configurations to interfere with control operations.

What this means

What could happen

An attacker with local access could create, update, or delete FactoryTalk Linx drivers, potentially disabling connectivity to programmable logic controllers (PLCs) or altering driver behavior to interfere with plant communications.

Who's at risk

Organizations operating Rockwell Automation FactoryTalk Linx engineering environments, including manufacturing plants, water utilities, and power systems that use FactoryTalk for PLC programming and device communication.

How it could be exploited

An attacker must first gain local access to a machine running FactoryTalk Linx (versions below 6.50). From there, they can exploit an authorization bypass vulnerability (CWE-284) to create, modify, or remove FTLinx drivers without proper privilege verification. This could sever communication between engineering workstations and field control devices.

Prerequisites

Local access to the machine running FactoryTalk Linx
FactoryTalk Linx version 6.49 or earlier
No authentication or elevated privileges required on the target machine

Affects safety-critical industrial control systemsNo patch available for FactoryTalk Linx Network (all versions)Local access required but no authentication checks in place

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

FactoryTalk Linx: <6.50<6.506.50

FactoryTalk Linx NetworkAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

FactoryTalk Linx Network

WORKAROUNDFor FactoryTalk Linx Network (all versions, no patch available), ensure the system is behind a firewall and not accessible from the internet or untrusted networks

All products

HARDENINGRestrict physical and network-based local access to engineering workstations running FactoryTalk Linx to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Linx to version 6.50 or later

Mitigations - no patch available

0/1

FactoryTalk Linx Network has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate FactoryTalk Linx engineering networks from business networks using a firewall or air gap

CVEs (1)

CVE-2025-7972

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/51ff9d4c-9fa8-4296-90d2-ee402ef21065

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.