OTPulse
FeedAboutContact

Rockwell Automation FactoryTalk Optix

Plan Patch7.1ICS-CERT ICSA-25-252-04Sep 9, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

FactoryTalk Optix versions 1.5.0 through 1.5.7 contain an input validation vulnerability (CWE-20) that could allow an authenticated attacker to achieve remote code execution. The vulnerability requires the attacker to have valid engineering credentials and user interaction (opening a file or accepting a prompt). Successful exploitation could result in unauthorized command execution on the Optix server, potentially allowing an attacker to alter setpoints, stop production, or otherwise interfere with manufacturing operations.

What this means
What could happen
An attacker with valid engineering credentials and user interaction could execute arbitrary code on FactoryTalk Optix servers, potentially allowing unauthorized control of industrial processes and manufacturing systems.
Who's at risk
Manufacturing facilities and plants using Rockwell Automation FactoryTalk Optix for process visualization, HMI (human-machine interface), and SCADA applications. This includes discrete manufacturers, process plants, and any facility relying on Optix for real-time monitoring and control of production equipment.
How it could be exploited
An attacker must have valid engineering workstation credentials and trick a user into opening a malicious file or accepting a prompt. Once the user interaction occurs, the attacker can execute code on the Optix server with that user's privileges. The attack requires network access to the Optix application and high attack complexity due to the need for credentials and user interaction.
Prerequisites
  • Valid engineering workstation credentials for FactoryTalk Optix
  • Network access to FactoryTalk Optix application server (typically port 443/HTTPS)
  • User interaction required (user must open a malicious file or accept a prompt)
  • FactoryTalk Optix version 1.5.0 through 1.5.7
Remotely exploitable over networkRequires valid credentials (reduces but does not eliminate risk)High attack complexity mitigates severityAffects process control and monitoring systemsVendor has released a patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Optix: >=1.5.0|<=1.5.7≥ 1.5.0|≤ 1.5.71.6.0
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict network access to FactoryTalk Optix servers to authorized engineering workstations only using firewall rules or network segmentation
WORKAROUNDFollow Rockwell Automation security best practices if unable to upgrade
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Optix to Version 1.6.0 or later
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate FactoryTalk Optix and control system networks from business networks and the internet
HARDENINGRequire use of VPN or other secure remote access methods if engineers need to connect from outside the facility
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3b5e7a0a-394f-448b-9df1-242c10972c5d
Rockwell Automation FactoryTalk Optix | CVSS 7.1 - OTPulse