Rockwell Automation FactoryTalk Linx

Plan Patch7.8ICS-CERT ICSA-25-289-02Oct 16, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Linx versions 6.40 and earlier contain a privilege escalation vulnerability in improper file permissions or privilege assignment (CWE-268). Successful exploitation allows a local user with non-administrative privileges to gain full access to all files, processes, and system resources. The vulnerability is not remotely exploitable and requires direct local system access. Rockwell Automation recommends upgrading to version 6.50 or later and applying the Microsoft MSI patch.

What this means

What could happen

An attacker with local access and low-level user privileges could gain full control of FactoryTalk Linx, reading and modifying all files, processes, and system configurations. This could allow them to alter production recipes, bypass safety interlocks, or disrupt manufacturing operations.

Who's at risk

Manufacturing facilities using FactoryTalk Linx for production control, recipe management, or process automation should prioritize this. At-risk sites include food and beverage processors, pharmaceutical manufacturers, automotive suppliers, and discrete manufacturers that use Rockwell Automation's MES or SCADA integration software. The vulnerability affects only the local system—plants with strong physical security and no untrusted local user accounts face lower risk.

How it could be exploited

An attacker with a non-privileged user account on the FactoryTalk Linx system must escalate privileges through an improper file permission or privilege assignment issue. No remote exploitation is possible; the attacker must already have local logon access to the system.

Prerequisites

Local user account on the FactoryTalk Linx system (non-administrative)
Direct access to the machine or remote desktop/terminal access to a logged-in user session
FactoryTalk Linx version 6.40 or earlier

Privilege escalation vulnerabilityNo authentication required (once local access obtained)Low complexity exploitationAffects system and process integrityNo fix available for older versions (end-of-life management required)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Linx: <=6.40≤ 6.406.50 or later

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and remote access to FactoryTalk Linx systems to authorized personnel only; disable remote desktop access if not required

WORKAROUNDFollow Rockwell Automation's security best practices for systems that cannot be upgraded immediately

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk Linx to version 6.50 or later

HOTFIXApply the Microsoft patch for the MSI (Windows Installer) issue referenced in Rockwell Automation advisory SD1754

CVEs (2)

CVE-2025-9067 CVE-2025-9068

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c4764bcd-dbd7-4910-8ef9-56cff2246b54