OTPulse
FeedAboutContact

Rockwell FactoryTalk Linx

Plan Patch9ICS-CERT ICSA-25-226-24Aug 14, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

FactoryTalk Linx versions before 6.50 contain an improper access control vulnerability (CWE-284) that allows an attacker with local system access to create, update, and delete FTLinx driver definitions. Drivers are the components that enable the HMI software to communicate with industrial control devices such as PLCs and RTUs. Exploitation could disrupt this communication or allow unauthorized modifications to the driver configuration, potentially affecting process control and monitoring. Rockwell Automation recommends updating to version 6.50 or later.

What this means
What could happen
An attacker with local access to a machine running FactoryTalk Linx could create, modify, or delete driver configurations, potentially disrupting communication between the HMI software and industrial control devices or allowing unauthorized process changes.
Who's at risk
Manufacturing facilities, water authorities, and utility operators using Rockwell Automation FactoryTalk Linx HMI software (version 6.50 or earlier) for process monitoring and control. This includes any site where FactoryTalk Linx manages communication with PLCs, remote terminal units (RTUs), variable frequency drives (VFDs), or other industrial devices.
How it could be exploited
An attacker with local system or administrative access to a Windows machine running FactoryTalk Linx can exploit an access control flaw to create, update, or delete FTLinx driver definitions. This allows them to modify how the HMI communicates with PLCs, VFDs, or other field devices, or to sever those communications entirely.
Prerequisites
  • Local access to the machine running FactoryTalk Linx
  • User-level or higher privileges on the Windows system
  • FactoryTalk Linx version earlier than 6.50 installed
Local access requiredLow complexity attackHigh impact on driver configurationAffects HMI-to-device communicationNo patch available yet (workaround until upgrade feasible)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Linx: <6.50<6.506.50
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict local access to engineering workstations running FactoryTalk Linx through physical access controls and local account hardening
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Linx to version 6.50 or later
Long-term hardening
0/2
HARDENINGIsolate HMI and engineering networks from business networks and the internet using firewalls and network segmentation
HARDENINGImplement and enforce the principle of least privilege for user accounts on Windows systems running FactoryTalk Linx
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/51ff9d4c-9fa8-4296-90d2-ee402ef21065
Rockwell FactoryTalk Linx | CVSS 9 - OTPulse