OTPulse
FeedAboutContact

Rockwell Automation FactoryTalk Action Manager

Plan Patch7.8ICS-CERT ICSA-25-226-30Aug 14, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

FactoryTalk Action Manager versions 1.0.0 and earlier contain a vulnerability allowing local unauthenticated attackers to listen to and manipulate communications with the system. This could allow an attacker on the local network to intercept automation commands, alter event-driven actions, or eavesdrop on system communications.

What this means
What could happen
A local attacker could intercept and modify communications with the Action Manager system, potentially altering automation commands, production schedules, or event-driven actions running in your manufacturing environment.
Who's at risk
Manufacturing facilities, batch processes, and distributed control systems using Rockwell Automation FactoryTalk Action Manager for event-driven automation and task scheduling. This includes any operation relying on Action Manager to trigger PLCs, motor starters, alarms, or production sequences.
How it could be exploited
An attacker with local access to the device or its network segment could listen to unencrypted communications between the Action Manager and connected systems, capturing and potentially replaying or modifying commands to trigger unintended automation actions.
Prerequisites
  • Local network access to the FactoryTalk Action Manager device or its network segment
  • No credentials required
  • Physical access to the device or its local network connection
low complexity exploitationlocal network access requiredno authentication requiredaffects automation command flowno patch available for some versionsunencrypted communications
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Action Manager: >=1.0.0|<1.01≥ 1.0.0|<1.011.01 or later
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate FactoryTalk Action Manager on a separate control network segment behind a firewall, preventing access from business networks and the internet
WORKAROUNDIf remote access to the Action Manager is required, use a VPN with current security patches and strong authentication
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Action Manager to version 1.01 or later
Long-term hardening
0/1
HARDENINGImplement network segmentation to minimize local network exposure to the Action Manager system
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3f67ed22-620e-4670-b334-2a62703bd416