OTPulse
FeedAboutContact

Rockwell Automation FactoryTalk Activation Manager

Plan Patch7.5ICS-CERT ICSA-25-252-05Sep 9, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

FactoryTalk Activation Manager version 5.00 contains an authentication or session handling vulnerability (CWE-303) that could allow an unauthenticated attacker on the network to read sensitive data, hijack user sessions, or compromise communication with the service. This could expose factory licensing information, asset management data, or enable credential theft for further system compromise.

What this means
What could happen
An attacker could read sensitive data from FactoryTalk Activation Manager or hijack user sessions, potentially gaining access to factory licensing and asset management information or obtaining credentials to access other systems.
Who's at risk
Manufacturing facilities and utilities using Rockwell Automation FactoryTalk Activation Manager for license and asset management. This affects any organization that uses FactoryTalk products for industrial control, particularly those with version 5.00.
How it could be exploited
An attacker on the network sends a crafted request to the unpatched FactoryTalk Activation Manager service. The vulnerability in session handling or authentication allows the attacker to read sensitive data or assume another user's session without providing valid credentials.
Prerequisites
  • Network access to FactoryTalk Activation Manager (default port or configured port)
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects licensing and system access control
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Activation Manager: 5.005.005.02 or later
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict network access to FactoryTalk Activation Manager by placing it behind a firewall and limiting connections to only authorized engineering workstations
HARDENINGIf remote access to FactoryTalk Activation Manager is required, enforce use of a VPN with multi-factor authentication
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Activation Manager to Version 5.02 or later
Long-term hardening
0/1
HARDENINGIsolate FactoryTalk Activation Manager and the control system network from the business network using air-gapping or network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f96b0c03-ca82-42c8-97a8-94346d745f2b