Rockwell Automation FactoryTalk Action Manager

Plan PatchCVSS 7.8ICS-CERT ICSA-25-226-30Aug 14, 2025

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

FactoryTalk Action Manager versions 1.0.0 through 1.00.x contain a vulnerability that allows a local unauthenticated attacker to listen to and manipulate communications between the application and industrial devices. The vulnerability stems from insufficient protection of local inter-process communications. Successful exploitation could allow an attacker to intercept sensitive operational data or inject malicious commands to control system devices.

What this means

What could happen

A local attacker without credentials could intercept communications to and from FactoryTalk Action Manager and modify those messages, potentially allowing them to change process logic or operator commands sent to industrial devices.

Who's at risk

This affects any organization using Rockwell Automation FactoryTalk Action Manager version 1.0.0 through 1.00.x. FactoryTalk Action Manager is commonly used in manufacturing facilities to create automated responses to alarms and events from PLCs, RTUs, and other control devices. Any facility relying on FactoryTalk for production automation, batch processes, or safety-critical logic should prioritize the update.

How it could be exploited

An attacker with local access to the machine running FactoryTalk Action Manager (physical console or local network access) can intercept unencrypted or weakly protected communications between the application and connected control system devices, enabling them to read sensitive data or inject malicious commands.

Prerequisites

Local access to the computer running FactoryTalk Action Manager
FactoryTalk Action Manager version 1.0.0 through 1.00.x must be installed

Local access requiredno authentication requiredaffects critical supervisory system (HMI/SCADA software)communications interception and manipulation possible

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Action Manager: >=1.0.0|<1.01≥ 1.0.0|<1.011.01+

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local access to computers running FactoryTalk Action Manager to authorized personnel only

HARDENINGEnsure FactoryTalk Action Manager is not accessible from the internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Action Manager to version 1.01 or later

Long-term hardening

0/1

HARDENINGIsolate FactoryTalk Action Manager systems from business networks using a firewall or network segmentation

CVEs (1)

CVE-2025-9036

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3f67ed22-620e-4670-b334-2a62703bd416

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.