CVE-2025-9064
📋 TL;DR
An unauthenticated path traversal vulnerability in FactoryTalk View Machine Edition allows attackers on the same network to delete arbitrary files on the panel's operating system. This affects industrial control systems using vulnerable versions of the software. Attackers need to know specific filenames to target for successful exploitation.
💻 Affected Systems
- FactoryTalk View Machine Edition
📦 What is this software?
Factorytalk View by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Critical system files could be deleted, causing panel operating system corruption, production downtime, or safety system disruption in industrial environments.
Likely Case
Attackers delete configuration files, logs, or application files to disrupt operations or cover tracks after other attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated network segments.
🎯 Exploit Status
Exploitation requires network access and knowledge of target filenames, but no authentication or special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 13.00.00 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1753.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View Machine Edition version 13.00.00 or later from Rockwell Automation. 2. Backup existing configurations. 3. Install the update following vendor documentation. 4. Restart the panel system.
🔧 Temporary Workarounds
Network Segmentation
allIsolate FactoryTalk View panels on dedicated network segments with strict access controls.
Firewall Rules
allImplement firewall rules to restrict network access to FactoryTalk View panels only from authorized engineering stations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable panels from general network traffic.
- Deploy host-based firewalls on panels to restrict incoming connections to only necessary sources.
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk View Machine Edition version in the software's About dialog or control panel.Check Version:
Check via FactoryTalk View Machine Edition interface or Windows Programs and Features.Verify Fix Applied:
Confirm version is 13.00.00 or higher after applying the update.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in system logs
- Failed file access attempts to sensitive paths
Network Indicators:
- Unusual network traffic to FactoryTalk View panels from unauthorized sources
- HTTP requests with path traversal patterns
SIEM Query:
source="FactoryTalk" AND (event_type="file_delete" OR path_contains="../")