Rockwell Apache Vulnerability in FactoryTalk® Historian-ThingWorx Connection Server
Act Now9.8SD1728May 14, 2025
Summary
An Apache vulnerability in FactoryTalk Historian-ThingWorx Connection Server allows unauthenticated remote code execution. The vulnerability affects all versions of the Apache component embedded in the Connection Server. No vendor patch is currently available.
What this means
What could happen
An attacker with network access to the FactoryTalk Historian-ThingWorx Connection Server could execute arbitrary code on the server, potentially allowing them to read or modify production data, interfere with historian logging, or pivot to other systems on your network.
Who's at risk
This affects any organization running FactoryTalk Historian with ThingWorx integration, commonly found in manufacturing facilities (auto, pharma, food/beverage), chemical plants, and utilities. The historian is critical for compliance reporting (21 CFR Part 11, NIST) and stores operational records essential for production auditing and root cause analysis.
How it could be exploited
The vulnerability is in Apache software embedded in the Connection Server. An attacker can send a crafted request to the affected service port (typically port 80 or 443) without authentication. Once the attacker gains code execution, they can run commands as the service account, which often has access to historian databases and network credentials.
Prerequisites
- Network access to the FactoryTalk Historian-ThingWorx Connection Server
- The vulnerable Apache service must be running and exposed (either directly or on an internal network)
- No credentials required for exploitation
remotely exploitableno authentication requiredhigh EPSS score (49%)no patch availableaffects data integrity and compliance systems
Exploitability
High exploit probability (EPSS 49.0%)
Affected products (1)
ProductAffected VersionsFix Status
Apache Vulnerability inAll versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/2HOTFIXContact Rockwell Automation support immediately for a patched version or interim update of FactoryTalk Historian-ThingWorx Connection Server
WORKAROUNDIf a patch is not yet available, restrict network access to the Connection Server to only authorized engineering workstations and historian clients using a firewall or network ACL (allow only required source IPs and ports)
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGDeploy network segmentation to isolate the historian server on a separate VLAN with restricted routing to production systems
HARDENINGMonitor the server for suspicious connection attempts and unexpected process execution using host-based logging or EDR if available
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ec14d3f5-8fa0-4c88-b357-07b5580ffbb2