CVE-2025-9068 – This vulnerability allows authenticated Windows... (How to Fix)

Q: What is the severity of CVE-2025-9068?

CVE-2025-9068 has a CVSS score of 7.8 (HIGH). This vulnerability allows authenticated Windows users to hijack a repair process in Rockwell Automation's FTLinx software, gaining SYSTEM-level command prompt access. Attackers can then access all files, processes, and system resources. Organizations using affected Rockwell Automation products with FTLinx are at risk.

📋 TL;DR

This vulnerability allows authenticated Windows users to hijack a repair process in Rockwell Automation's FTLinx software, gaining SYSTEM-level command prompt access. Attackers can then access all files, processes, and system resources. Organizations using affected Rockwell Automation products with FTLinx are at risk.

💻 Affected Systems

Products:

Rockwell Automation FTLinx

Versions: All versions prior to patched version

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Windows authentication and FTLinx installation with vulnerable MSI repair functionality.

📦 What is this software?

Factorytalk Linx by Rockwellautomation

View all CVEs affecting Factorytalk Linx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges leading to data theft, ransomware deployment, industrial control system manipulation, and complete network takeover.

🟠

Likely Case

Privilege escalation leading to lateral movement within the network, credential harvesting, and installation of persistent backdoors.

🟢

If Mitigated

Limited impact due to strict access controls, network segmentation, and monitoring preventing successful exploitation.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated Windows access and knowledge of the repair process hijack technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1754.html

Restart Required: Yes

Instructions:

1. Review Rockwell Automation advisory SD1754
2. Download and install the latest FTLinx update
3. Restart affected systems
4. Verify patch installation

🔧 Temporary Workarounds

Restrict User Permissions

windows

Limit Windows user permissions to prevent unauthorized repair process initiation

Network Segmentation

all

Isolate Rockwell Automation systems from general network access

🧯 If You Can't Patch

Implement strict access controls and least privilege principles for all users
Monitor for unusual repair process activity and command prompt execution

🔍 How to Verify

Check if Vulnerable:

Check FTLinx version against vendor advisory and verify MSI repair functionality exists

Check Version:

Check FTLinx application properties or vendor documentation

Verify Fix Applied:

Confirm FTLinx is updated to patched version and test repair functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected vbpinstall.exe execution
Repair process initiation by non-admin users
Command prompt launched with SYSTEM privileges

Network Indicators:

Unusual outbound connections from Rockwell systems

SIEM Query:

Process creation where (parent_process contains 'vbpinstall.exe' OR process_name contains 'cmd.exe') AND integrity_level contains 'SYSTEM'

📊 Metadata

CVE ID: CVE-2025-9068

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

EPSS Score: 0% exploit probability (0.1th percentile)

Published: October 14, 2025

Last Updated: October 24, 2025

🔗 References

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1754.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9068, you might also want to check these: