Rockwell Automation has released a series of advisories addressing in several of its FactoryTalk and ArmorStart product lines. These , discovered through internal testing, could allow attackers to gain SYSTEM-level privileges, delete critical files, or trigger denial-of-service (DoS) conditions in industrial automation environments.
FactoryTalk Linx: SYSTEM-Level Privilege Escalation (CVE-2025-9067, CVE-2025-9068)
The most severe issues affect FactoryTalk Linx, a communications platform connecting Allen-Bradley control systems to Rockwell and third-party applications. Two — CVE-2025-9067 and CVE-2025-9068 — involve improper repair handling in Microsoft Installer (MSI) files that ship with FactoryTalk Linx.
In both cases, authenticated attackers with Windows credentials can initiate an MSI repair process and hijack the resulting console window to spawn a SYSTEM-level command prompt.
As Rockwell explains, “Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting console window. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources.”
Both vulnerabilities score CVSS v3.1: 7.8 and CVSS v4.0: 8.5, classified under CWE-268: Privilege Chaining. The company recommends upgrading to FactoryTalk Linx version 6.50 or later and applying Microsoft’s MSI repair patch to address the underlying Windows issue.
FactoryTalk View Machine Edition: Path Traversal Deletion (CVE-2025-9064)
A path traversal (CVE-2025-9064) has been identified in FactoryTalk View Machine Edition, which allows unauthenticated attackers on the same network to delete arbitrary files on the target panel.
According to the advisory, “A path traversal issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file within the panel’s operating system.”
Exploitation requires knowledge of the filenames to be deleted, but successful attacks could result in system corruption or data loss. The issue affects versions prior to V15.00, and users are advised to upgrade to FactoryTalk View ME V15.00 or apply Patch BF31001 for supported ASEM 6300 IPCs and PanelView Plus 7 terminals.
FactoryTalk View Machine Edition: Authentication Bypass in Web Browser ActiveX (CVE-2025-9063)
Another in FactoryTalk View ME, tracked as CVE-2025-9063, affects the Web Browser ActiveX control used in PanelView Plus 7 Series B terminals. The could allow unauthorized access to system files, diagnostics, and event logs.
Rockwell Automation notes, “An authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView Plus 7 Series B, including access to the file system, retrieval of diagnostic information, event logs, and more.”
FactoryTalk ViewPoint: XXE to Denial-of-Service (CVE-2025-9066)
In FactoryTalk ViewPoint, Rockwell identified an XML External Entity (XXE) vulnerability that can be abused via malicious SOAP requests, leading to a temporary denial-of-service condition.
The advisory states, “A security issue was discovered within FactoryTalk ViewPoint, allowing unauthenticated attackers to achieve XXE. Certain SOAP requests can be abused to perform XXE, resulting in a temporary denial-of-service.”
Tracked as CVE-2025-9066, the vulnerability impacts PanelView Plus 7 terminals running firmware version 14 and earlier. Firmware fix Patch AID BF30506 is available for affected devices.
ArmorStart AOP: Denial-of-Service via COM Method Exception (CVE-2025-9437)
The ArmorStart AOP add-on profile for Studio 5000 Logix Designer is affected by a denial-of-service flaw (CVE-2025-9437). Improper handling of invalid input values in Component Object Model (COM) methods can cause the software to crash, disrupting motor controller operations.
Rockwell describes the issue: “A security issue exists within the Studio 5000 Logix Designer add-on profile (AOP) for the ArmorStart Classic distributed motor controller, resulting in denial-of-service. This vulnerability is possible due to the input of invalid values into Component Object Model (COM) methods.”
Rockwell advises following standard industrial security best practices, including network segmentation and access restriction to engineering workstations.
- CVE-2025-7972: Rockwell Automation Patches Critical Security Bypass in FactoryTalk Linx
- Critical Vulnerabilities Found in Rockwell Automation FactoryTalk ThinManager
- Rockwell Automation Products Face Critical Security Risks, Urgent Patching Required
- CVE-2025-0477 (CVSS 9.8): Critical Security Flaw in Rockwell Automation’s FactoryTalk AssetCentre
- Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
