CVE-2025-0498
📋 TL;DR
A data exposure vulnerability in Rockwell Automation FactoryTalk AssetCentre allows threat actors to steal user authentication tokens due to insecure storage. This enables impersonation of legitimate users within industrial control systems. All versions prior to V15.00.001 are affected.
💻 Affected Systems
- Rockwell Automation FactoryTalk AssetCentre
📦 What is this software?
Factorytalk Assetcentre by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of FactoryTalk AssetCentre with unauthorized access to critical industrial control systems, potential manipulation of industrial processes, and lateral movement to other OT systems.
Likely Case
Unauthorized access to FactoryTalk AssetCentre with ability to view, modify, or delete asset management data, potentially disrupting industrial operations.
If Mitigated
Limited impact if proper network segmentation and access controls prevent token theft and lateral movement.
🎯 Exploit Status
Exploitation requires access to the system where tokens are stored. The vulnerability is in how tokens are stored, not in authentication mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V15.00.001
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1721.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk AssetCentre V15.00.001 from Rockwell Automation. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart the system and verify functionality.
🔧 Temporary Workarounds
Restrict File System Access
windowsLimit access to directories where FactoryTalk Security tokens are stored to prevent unauthorized reading.
icacls "C:\ProgramData\Rockwell Automation\FactoryTalk Security\Tokens" /deny Everyone:(R)
Network Segmentation
allIsolate FactoryTalk AssetCentre systems from untrusted networks and implement strict access controls.
🧯 If You Can't Patch
- Implement strict access controls and monitoring on systems storing FactoryTalk Security tokens.
- Deploy network segmentation to isolate FactoryTalk AssetCentre from other systems and limit lateral movement potential.
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk AssetCentre version in Control Panel > Programs and Features. If version is below V15.00.001, system is vulnerable.Check Version:
wmic product where name="FactoryTalk AssetCentre" get versionVerify Fix Applied:
Verify version is V15.00.001 or higher and test that FactoryTalk Security tokens are no longer stored insecurely.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to token storage directories
- Multiple failed authentication attempts followed by successful login from different location
Network Indicators:
- Unusual network connections from FactoryTalk AssetCentre system
- Traffic patterns indicating token exfiltration
SIEM Query:
EventID=4663 AND ObjectName LIKE "%FactoryTalk Security%Tokens%" AND AccessMask=0x1