Rockwell Automation FactoryTalk Optix

Plan PatchCVSS 7.1ICS-CERT ICSA-25-252-04Sep 9, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

A vulnerability in Rockwell Automation FactoryTalk Optix (versions 1.5.0 through 1.5.7) allows remote code execution due to insufficient input validation. An attacker with local network access and valid user credentials could exploit this flaw to execute arbitrary commands on affected HMI/SCADA visualization systems. FactoryTalk Optix Remote (all versions) is also affected but will not receive a vendor patch. Rockwell Automation recommends updating to version 1.6.0 or later for FactoryTalk Optix. No public exploitation has been reported.

What this means

What could happen

An attacker could execute arbitrary commands on a FactoryTalk Optix visualization or HMI system, potentially altering process setpoints, creating false alarms, or disrupting operator visibility and control of industrial operations.

Who's at risk

This vulnerability affects organizations using Rockwell Automation FactoryTalk Optix HMI/SCADA visualization software in manufacturing, water treatment, energy, and utility environments. FactoryTalk Optix is commonly deployed on engineering workstations and operator consoles to monitor and control industrial processes. Organizations running FactoryTalk Optix Remote should be aware that this product will not receive a patch and require compensating network controls.

How it could be exploited

An attacker with local network access and valid user credentials could exploit an input validation flaw in FactoryTalk Optix to inject malicious commands that execute with the privileges of the running application. The high attack complexity suggests the exploit requires specific conditions or user interaction, but successful exploitation results in remote code execution on the HMI/SCADA client.

Prerequisites

Network access to the FactoryTalk Optix application from an internal network segment
Valid user credentials to authenticate to FactoryTalk Optix or the Optix Runtime environment
User interaction required (user action or social engineering to trigger the malicious input)

remotely exploitablevalid credentials requiredhigh attack complexityno patch available for FactoryTalk Optix Remote product line

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

FactoryTalk Optix: >=1.5.0|<=1.5.7≥ 1.5.0|≤ 1.5.71.6.0

FactoryTalk Optix RemoteAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

FactoryTalk Optix Remote

WORKAROUNDFor FactoryTalk Optix Remote installations where no patch is available, implement network segmentation and restrict remote access using VPN or jump servers with strict access controls

All products

WORKAROUNDRestrict network access to FactoryTalk Optix applications using host-based or network firewalls; only permit access from authorized engineering workstations and operator consoles

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Optix to version 1.6.0 or later

Mitigations - no patch available

0/2

FactoryTalk Optix Remote has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate FactoryTalk Optix systems and any control network segments from business networks using a demilitarized zone (DMZ) or air-gap architecture

HARDENINGEnforce strong authentication (e.g., multi-factor authentication or strong password policies) for all FactoryTalk Optix user accounts

CVEs (1)

CVE-2025-9161

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3b5e7a0a-394f-448b-9df1-242c10972c5d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.