CVE-2025-7972
📋 TL;DR
This vulnerability allows attackers to bypass FTSP token validation in FactoryTalk Linx Network Browser by setting the NODE_ENV environment variable to 'development'. This enables unauthorized creation, modification, and deletion of FTLinx drivers. Industrial control systems using affected FactoryTalk Linx versions are at risk.
💻 Affected Systems
- FactoryTalk Linx Network Browser
📦 What is this software?
Factorytalk Linx by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems allowing attackers to manipulate critical drivers, potentially causing physical damage, production disruption, or safety incidents.
Likely Case
Unauthorized modification of FTLinx drivers leading to operational disruption, data manipulation, or lateral movement within industrial networks.
If Mitigated
Limited impact if proper network segmentation and access controls prevent attackers from reaching vulnerable systems.
🎯 Exploit Status
Exploitation requires ability to modify environment variables on target system, typically requiring some level of access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk Linx version 6.31 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1735.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk Linx version 6.31 or later from Rockwell Automation. 2. Install the update following vendor instructions. 3. Restart affected systems.
🔧 Temporary Workarounds
Restrict Environment Variable Modification
windowsPrevent unauthorized modification of NODE_ENV environment variable
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name 'NODE_ENV' -Value 'production' -Type String
Network Segmentation
allIsolate FactoryTalk Linx systems from untrusted networks
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from modifying environment variables
- Monitor for unauthorized changes to NODE_ENV environment variable and suspicious driver modifications
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk Linx version via Control Panel > Programs and Features. Versions 6.30 and earlier are vulnerable.Check Version:
wmic product where name='FactoryTalk Linx' get versionVerify Fix Applied:
Verify installation of FactoryTalk Linx version 6.31 or later and confirm NODE_ENV is not set to 'development'📡 Detection & Monitoring
Log Indicators:
- Unexpected changes to NODE_ENV environment variable
- Unauthorized driver creation/modification/deletion in FactoryTalk Linx logs
Network Indicators:
- Unusual network traffic to FactoryTalk Linx systems from unauthorized sources
SIEM Query:
EventID=4688 AND ProcessName='FactoryTalk Linx' AND CommandLine LIKE '%NODE_ENV=development%'