Loading

FactoryTalk® View Machine Edition Multiple Vulnerabilities

Severity:
High,
Critical
Advisory ID:
SD1719
Date de publication:
January 28, 2025
Date de la dernière mise à jour:
February 05, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Oui
Workaround:
Oui
CVE IDs
CVE-2025-24479,
CVE-2025-24480
Téléchargements
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
CVE-2025-24479
CVE-2025-24480
Résumé

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Version(s)

Corrected in Software Version

FactoryTalk® View Machine Edition

CVE-2025-24479

< V15

V15 and Patch for V12, V13, V14 (AID 1152309)

CVE-2025-24480

 

< V15

 

V15 and patch for V12, V13, V14 (AID 1152571)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24479 IMPACT

A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24480 IMPACT

A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') & CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         CVE-2025-24479:

·         Upgrade to V15.00 or apply patch in AID 1152309

·         Control physical access to the system

·         CVE-2025-24480:

·         Upgrade to V15.00 or apply patch in AID 1152571

·         Protect network access to the device

·         Strictly constrain the parameters of invoked functions

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Copyright ©2022 Rockwell Automation, Inc.