CVE-2025-9364
📋 TL;DR
An over-permissive Redis instance in affected Rockwell Automation products allows intranet attackers to access and potentially modify sensitive data. This vulnerability affects systems with exposed Redis databases that lack proper access controls. Organizations using vulnerable Rockwell Automation products on internal networks are at risk.
💻 Affected Systems
- Rockwell Automation FactoryTalk View SE
📦 What is this software?
Factorytalk Analytics Logixai by Rockwellautomation
Factorytalk Analytics Logixai by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive industrial control system data, including potential data manipulation that could disrupt operations or cause safety incidents.
Likely Case
Unauthorized access to sensitive configuration data, operational parameters, and potentially credential information stored in Redis.
If Mitigated
Limited impact with proper network segmentation and Redis authentication enabled, restricting access to authorized systems only.
🎯 Exploit Status
Exploitation requires network access to the Redis instance but no authentication. Standard Redis client tools can be used to connect and query data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk View SE version 12.00.01
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1748.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View SE version 12.00.01 from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart affected systems. 5. Verify Redis authentication is enabled.
🔧 Temporary Workarounds
Enable Redis Authentication
allConfigure Redis to require authentication before allowing connections.
redis-cli CONFIG SET requirepass "strong-password-here"
redis-cli CONFIG REWRITE
Restrict Network Access
allConfigure firewall rules to limit Redis access to authorized systems only.
# Windows: netsh advfirewall firewall add rule name="Restrict Redis" dir=in action=allow protocol=TCP localport=6379 remoteip=192.168.1.0/24
# Linux: iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Redis instances from general network traffic.
- Enable Redis authentication with strong passwords and monitor for unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Attempt to connect to Redis on port 6379 without authentication using: redis-cli -h <target_ip> -p 6379. If connection succeeds and commands work, system is vulnerable.Check Version:
Check FactoryTalk View SE version in Control Panel > Programs and Features or via vendor documentation.Verify Fix Applied:
Attempt to connect without authentication should fail. Test with: redis-cli -h <target_ip> -p 6379 AUTH <password> to verify authentication works.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts to Redis
- Successful Redis connections from unauthorized IP addresses
- Unusual Redis command patterns
Network Indicators:
- Unexpected connections to TCP port 6379
- Redis protocol traffic from unauthorized sources
SIEM Query:
source="redis.log" AND (event="Authentication failed" OR src_ip NOT IN authorized_ips)