AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Version(s) |
Corrected in Software Version |
FactoryTalk® View Machine Edition |
CVE-2025-24479 |
< V15 |
V15 and Patch for V12, V13, V14 (AID 1152309) |
CVE-2025-24480
|
< V15
|
V15 and patch for V12, V13, V14 (AID 1152571) |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-24479 IMPACT
A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.
CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No
CVE-2025-24480 IMPACT
A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') & CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· CVE-2025-24479:
· Upgrade to V15.00 or apply patch in AID 1152309
· Control physical access to the system
· CVE-2025-24480:
· Upgrade to V15.00 or apply patch in AID 1152571
· Protect network access to the device
· Strictly constrain the parameters of invoked functions
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.