OTPulse

Rockwell Automation FactoryTalk Activation Manager

Plan PatchCVSS 7.5ICS-CERT ICSA-25-252-05Sep 9, 2025
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in FactoryTalk Activation Manager version 5.00 allows an unauthenticated remote attacker to expose sensitive data (licensing information, authentication tokens) and potentially hijack sessions. The vulnerability is caused by a flaw in session or data handling (CWE-303: Use of Insufficiently Random Values). Successful exploitation could compromise control system access management and enable unauthorized access to FactoryTalk-managed environments. Version 5.02 and later contain the fix; some older versions may not receive patches.

What this means
What could happen
An attacker with network access to FactoryTalk Activation Manager could read sensitive licensing and configuration data or hijack sessions, potentially compromising the integrity of your FactoryTalk deployments and control system access management.
Who's at risk
Organizations running Rockwell Automation FactoryTalk should care about this vulnerability. FactoryTalk Activation Manager is the licensing and authentication hub for FactoryTalk deployments, which support industrial automation environments including manufacturing plants, water systems, and utility control centers. Any compromise of this service could affect your entire FactoryTalk ecosystem.
How it could be exploited
An attacker on your network could send requests to the FactoryTalk Activation Manager service (port 443 by default) and exploit a flaw in session or data handling to extract authentication tokens, licensing information, or other sensitive data without needing credentials. This data could be used to impersonate users or systems.
Prerequisites
  • Network access to FactoryTalk Activation Manager (typically port 443)
  • Running FactoryTalk Activation Manager version 5.00 or other affected versions
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects licensing and session management
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
FactoryTalk Activation Manager: 5.005.005.02+
FactoryTalk Activation ManagerAll versionsNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1
FactoryTalk Activation Manager
WORKAROUNDRestrict network access to FactoryTalk Activation Manager to only authorized engineering and administrative workstations using firewall rules
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

FactoryTalk Activation Manager
HOTFIXUpdate FactoryTalk Activation Manager to version 5.02 or later
Mitigations - no patch available
0/1
FactoryTalk Activation Manager has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGEnsure FactoryTalk Activation Manager is not directly accessible from business networks or the internet; place it behind your OT network boundary
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f96b0c03-ca82-42c8-97a8-94346d745f2b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.