Rockwell Automation FactoryTalk ViewPoint

MonitorCVSS 7.5ICS-CERT ICSA-25-289-03Oct 14, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk ViewPoint and PanelView Plus 7 terminals are vulnerable to XML external entity (XXE) injection via malicious XML input. An unauthenticated attacker can send a crafted XML file to trigger resource exhaustion or application hang, causing temporary denial of service to the HMI. FactoryTalk ViewPoint has no fix planned. PanelView Plus 7 Standard/Performance Series A requires firmware patch AID BF30506; Performance Series B requires firmware v14.103 or later. The vulnerability impacts operational visibility and manual control capability during an attack.

What this means

What could happen

An unauthenticated attacker could trigger a denial-of-service condition on FactoryTalk ViewPoint or PanelView Plus 7 terminals by sending a malicious XML file, temporarily interrupting operator access to the HMI and process monitoring/control.

Who's at risk

This affects operators and engineering teams at manufacturing, water treatment, and electric utilities that use Rockwell Automation FactoryTalk ViewPoint (all versions) for SCADA visualization or PanelView Plus 7 terminals for local process monitoring and control. Any facility with these HMI systems on a network accessible to potential attackers is at risk of temporary loss of operator visibility and control capability.

How it could be exploited

An attacker sends a specially crafted XML file with external entity references to FactoryTalk ViewPoint or PanelView Plus 7. The application parses the XML without proper validation, triggering resource consumption or application hang, rendering the HMI unavailable to operators.

Prerequisites

Network access to the FactoryTalk ViewPoint or PanelView Plus 7 service port (typically 80/443 or proprietary ports)
No authentication required
Device must be configured to accept XML uploads or requests from the attacker's network

remotely exploitableno authentication requiredlow complexitydenial-of-service impact on HMI availabilityaffects operator control interface

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (2)

1 pending1 EOL

ProductAffected VersionsFix Status

FactoryTalk ViewPoint XXEAll versionsNo fix (EOL)

PanelView Plus 7 Terminal: <=14≤ 14No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to FactoryTalk ViewPoint and PanelView Plus 7 terminals to authorized engineering workstations and HMI operator stations only; block access from untrusted networks with firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor PanelView Plus 7 Standard/Performance Series A terminals: Update to firmware patch AID BF30506 (applies to v12, v13, v14)

HOTFIXFor PanelView Plus 7 Performance Series B terminals: Update to firmware version 14.103 or later

Mitigations - no patch available

0/2

FactoryTalk ViewPoint XXE has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate control system networks containing FactoryTalk ViewPoint and PanelView Plus 7 devices from business networks and the internet using air-gapped connections or firewalls with strict access control lists

HARDENINGFor FactoryTalk ViewPoint (no vendor fix planned): Apply defensive network architecture—ensure the application is not directly reachable from the internet or untrusted networks

CVEs (1)

CVE-2025-9066

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c27bb4be-52c8-48e5-92d3-57bbfdadbf07

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.