AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Version(s) |
Corrected in Software Version |
FactoryTalk® View SE |
CVE-2025-24481 |
< V15.0 |
V15.0, and patch for v14 (AID 1152306) |
CVE-2025-24482 |
< V15.0 |
V15.0, and patches for V12, V13, V14 (1152304) |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-24481 IMPACT
An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.
CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No
CVE-2025-24482 IMPACT
A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.
CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
CWE-94: Improper Control of Generation of Code ('Code Injection')
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For CVE-2025-24481:
· Upgrade to V15 or apply patch. Answer ID 1152306
· Protect physical access to the workstation
· Restrict access to port 8091 at the network or workstation
· For CVE-2025-24482:
· Upgrade to V15 or apply patch. Answer ID 1152304.
· Check the environment variables (PATH), and make sure FactoryTalk® View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) is before all others
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.