Rockwell FactoryTalk Optix Remote Code Execution Vulnerability
Monitor7.1SD1742Sep 9, 2025
Summary
Rockwell FactoryTalk Optix Remote contains a remote code execution vulnerability that allows an unauthenticated attacker with network access to the server to execute arbitrary code. The vulnerability affects all versions of FactoryTalk Optix Remote and currently has no vendor patch available. An attacker exploiting this flaw could gain control of HMI operations and all connected PLCs and field devices.
What this means
What could happen
An attacker can remotely execute code on FactoryTalk Optix Remote servers without authentication, gaining control over HMI systems and potentially altering process parameters, stopping operations, or exfiltrating production data.
Who's at risk
Manufacturing plants, water treatment facilities, and electric utilities that use FactoryTalk Optix Remote as their primary HMI (Human-Machine Interface) for remote monitoring and control of PLCs, drives, and field instruments. This affects any site where operators access process data or issue setpoint changes through Optix Remote, either locally or from engineering workstations.
How it could be exploited
An attacker with network access to the FactoryTalk Optix Remote server (typically on ports 443/HTTPS or 502/Modbus) can send a specially crafted request that exploits an input validation flaw to execute arbitrary code. No valid credentials are required. The attacker gains the same privileges as the application service account, which often has full access to PLCs and field devices on the plant network.
Prerequisites
- Network access to FactoryTalk Optix Remote server (typically port 443 HTTPS or port 502)
- FactoryTalk Optix Remote must be internet-facing or accessible from an attacker's network segment
- No valid credentials required
remotely exploitableno authentication requiredno patch availablehigh CVSS score (7.1)affects HMI/supervisory systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Optix RemoteAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGImplement network segmentation: isolate FactoryTalk Optix Remote servers on a separate VLAN with firewall rules allowing access only from trusted engineering workstations and historian servers
WORKAROUNDIf exposed to untrusted networks (internet, corporate LAN), place FactoryTalk Optix Remote behind a VPN or restrict access to a whitelist of known source IPs
HARDENINGRun FactoryTalk Optix Remote with minimal service account privileges—do not use SYSTEM or domain administrator accounts
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor FactoryTalk Optix Remote logs for suspicious HTTP/HTTPS requests or failed authentication attempts
HOTFIXContact Rockwell Automation to request patches or updates for FactoryTalk Optix Remote; verify firmware/version status regularly
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/93059964-0dab-4ded-9d0c-14affac590a3