CVE-2025-9067
📋 TL;DR
This vulnerability allows authenticated Windows users to hijack the repair process of FTLinx's Microsoft Installer File (MSI), gaining a SYSTEM-level command prompt. This provides full administrative control over the system. Only systems with FTLinx installed and accessible to authenticated attackers are affected.
💻 Affected Systems
- FTLinx
📦 What is this software?
Factorytalk Linx by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise: attackers gain SYSTEM privileges, allowing them to install malware, steal all data, disable security controls, and pivot to other systems.
Likely Case
Privilege escalation from standard user to SYSTEM, enabling lateral movement, credential harvesting, and persistence establishment within the network.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though local privilege escalation remains possible.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the repair process hijack technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in reference, check vendor advisory for latest version
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1754.html
Restart Required: Yes
Instructions:
1. Review the Rockwell Automation advisory SD1754
2. Download the latest FTLinx version from Rockwell Automation
3. Install the update following vendor instructions
4. Restart the system
🔧 Temporary Workarounds
Restrict user permissions
windowsApply least privilege principles to limit which users can access systems with FTLinx installed.
Disable MSI repair
windowsConfigure Windows to prevent MSI repair operations through Group Policy or registry settings.
reg add "HKLM\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems with FTLinx from critical assets.
- Deploy endpoint detection and response (EDR) tools to monitor for privilege escalation attempts and unusual process creation.
🔍 How to Verify
Check if Vulnerable:
Check if FTLinx is installed on the system and compare the version against the patched version listed in the vendor advisory.Check Version:
wmic product where name="FTLinx" get versionVerify Fix Applied:
Verify that the FTLinx version has been updated to the patched version and test that the repair hijack no longer grants SYSTEM privileges.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected MSI repair processes
- Process creation events for cmd.exe or powershell.exe with SYSTEM privileges from non-admin users
Network Indicators:
- Unusual outbound connections from systems with FTLinx after local exploitation
SIEM Query:
EventID=4688 AND NewProcessName="cmd.exe" AND SubjectUserName!="SYSTEM" AND ParentProcessName contains "msiexec"