Rockwell FactoryTalk® Action Manager v1.0.0 Runtime Vulnerability

Monitor7.8SD1740Aug 13, 2025

Summary

Rockwell FactoryTalk Action Manager v1.0.0 and all other versions contain a runtime vulnerability that allows remote code execution. The vulnerability exists in the runtime processing logic and can be exploited by an attacker with network access to execute arbitrary commands with the privileges of the Action Manager process. No patch is currently available from Rockwell Automation.

What this means

What could happen

An attacker with network access could execute arbitrary code on the FactoryTalk Action Manager runtime, potentially allowing them to modify alarm responses, disable safety notifications, or disrupt automation workflow execution in connected industrial processes.

Who's at risk

Industrial facilities using Rockwell FactoryTalk Action Manager for alarm management, event handling, and automation workflow control should prioritize this. This includes water treatment plants, electric utilities, manufacturing facilities, and other critical infrastructure that rely on FactoryTalk for safety and process notifications.

How it could be exploited

An attacker on the network sends a crafted message to the FactoryTalk Action Manager runtime service. The vulnerability in the runtime processing logic fails to validate the input, allowing arbitrary code execution in the context of the Action Manager process, which typically has access to PLCs and safety systems.

Prerequisites

Network access to FactoryTalk Action Manager runtime service
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredno patch availableaffects safety systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Action ManagerAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate FactoryTalk Action Manager servers on a separate network segment (VLAN) with firewall rules that restrict inbound access to only authorized engineering workstations and control systems.

HARDENINGImplement network-level monitoring and detection rules to alert on unexpected connections to FactoryTalk Action Manager runtime ports.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict administrative and engineering access to FactoryTalk Action Manager to named user accounts with strong password policies and multi-factor authentication where supported.

Long-term hardening

0/1

WORKAROUNDMonitor Rockwell Automation security advisories for patches or future mitigations for this vulnerability.

CVEs (1)

CVE-2025-7532

View full Rockwell Automation advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0ffa756b-f880-4123-a6a2-22ec9a69b772