Urgent Rockwell HMI Advisory: Patch CVE-2025-9063 and CVE-2025-9064 Now

  • Thread Author
Rockwell Automation has published an urgent security advisory: two high‑severity vulnerabilities in FactoryTalk View Machine Edition (ME) and PanelView Plus 7 can be exploited from the network or by local attackers to access and manipulate panel file systems, bypass authorization controls, and delete critical files — a risk that demands immediate inventorying, patch testing, and isolation of affected HMIs.

Background / Overview​

FactoryTalk View ME and PanelView Plus 7 are widely deployed human‑machine interface (HMI) platforms in industrial control systems, particularly across critical manufacturing environments. These HMIs run embedded Windows‑based runtimes or dedicated firmware on PanelView hardware and are frequently reachable from plant networks, engineering workstations, and — in some cases — business networks that lack proper segmentation.
Rockwell Automation’s advisory (SD1753) assigns two CVE identifiers to these flaws: CVE‑2025‑9064, a path traversal that enables unauthenticated deletion of files on affected panels, and CVE‑2025‑9063, an authentication bypass in the FactoryTalk View ME Web Browser ActiveX control that can expose file system and diagnostic data on PanelView Plus 7 Series B. The vendor lists corrected versions and firmware packages and recommends removal of the Web Browser ActiveX control where immediate updates are not possible.
This article synthesizes the technical details, verifies the core claims against vendor and national vulnerability databases, assesses operational risk to ICS/OT environments, and provides prioritized mitigation and detection guidance tailored for Windows‑centric engineering teams and OT defenders.

What was disclosed — technical summary​

CVE‑2025‑9064 — Path traversal (FactoryTalk View ME)​

  • Nature: A path traversal vulnerability in FactoryTalk View ME that allows unauthenticated actors on the same network to delete arbitrary files on a panel’s operating system, given knowledge of target filenames.
  • Affected versions: FactoryTalk View ME versions prior to V15.00 on affected hardware (notably ASEM 6300 IPCs and PanelView Plus 7 platforms running ME).
  • Severity: Rockwell reports a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.7; the v4 vector emphasizes network exploitability and high availability impact (deletion of OS files).

CVE‑2025‑9063 — Authentication bypass (ActiveX control)​

  • Nature: An authentication bypass in the FactoryTalk View ME Web Browser ActiveX control. When exploited, it allows unauthorized access to PanelView Plus 7 Series B devices — including reading file system contents, retrieving logs and diagnostic information, and potentially further manipulation.
  • Affected versions: PanelView Plus 7 Performance Series B V14.100 is explicitly called out; Rockwell points operators to V14.103 firmware as the corrective update for Series B.
  • Severity: Rockwell reports CVSS v3.1 = 7.3 and CVSS v4 = 7.0, reflecting elevated confidentiality and availability impact in a local/adjacent‑network threat model. Independent vulnerability repositories echo these scores.
Verification note: both CVE records have been published by Rockwell and appear in national vulnerability listings; NVD reproduction of the records shows the same high‑level descriptions although formal NVD scoring enrichment was pending at publication time.

Why this matters to industrial Windows and OT teams​

  • HMIs are a strategic target: PanelView and FactoryTalk View ME are operator gateways into control processes. Unauthorized file access, deletion of runtime files, or retrieval of diagnostics can disable panels, hide evidence of intrusion, or facilitate lateral movement into PLC engineering tools.
  • Attack surface realities: These vulnerabilities are exploitable from the network (CVSS indicates network reachability for the path traversal) or locally via adjacent access, meaning attackers already present on plant LANs, contractor laptops, or poorly segmented business networks could exploit them with low attack complexity.
  • Safety and availability consequences: Losing HMI availability or corrupting panel‑side files can cause operator confusion, unscheduled process downtime, or unsafe actions if failover procedures are absent — impacts beyond pure IT confidentiality concerns.
  • The threat window is real even without public exploitation: Rockwell and coordinating agencies reported no known public exploitation at the time of the advisory, but the vulnerability characteristics (network‑reachable, low complexity) create a narrow window for opportunistic attackers to develop and weaponize exploits quickly.

Affected products and precise remediation guidance (verified)​

Rockwell’s advisory lists specific affected products and vendor fixes. These are the load‑bearing technical facts defenders must verify in their environment before any remediation:
  • FactoryTalk View Machine Edition
  • Affected: versions earlier than V15.00.
  • Corrected in: FactoryTalk View ME V15.00 (on ASEM 6300 IPCs) and also by Patch BF31001 where applicable.
  • Mitigation: apply V15.00 or the patch package per vendor guidance.
  • PanelView Plus 7 Performance Series B
  • Affected: V14.100 (PanelView Plus 7 Performance Series B).
  • Corrected in: V14.103 firmware package (PanelView Plus 7 Performance Series B V14.103).
  • Mitigation: update Series B panels to V14.103 firmware; if unable, remove the Web Browser ActiveX control as an interim compensating control (per vendor recommendation).
Cross‑validation: These version and package identifications are mirrored in CVE tracking and third‑party vulnerability databases, confirming Rockwell as the coordinating CNA (CVE Numbering Authority). Defense teams must confirm product SKUs in their inventory match the vendor’s affected catalog numbers before deployment of any fix.

Attack scenarios and exploitability​

  • Path traversal deletion (CVE‑2025‑9064): An unauthenticated actor on the same network crafts requests that use directory‑traversal tokens to point file‑deletion interfaces at arbitrary OS files. Prerequisite: knowledge (or educated guessing) of file names to delete. Impact includes removal of configuration, runtime modules, or critical system files that could render an HMI inoperable.
  • ActiveX authentication bypass (CVE‑2025‑9063): An attacker able to interact with the Web Browser ActiveX control leverages the bypass to access previously protected endpoints and tools on the panel. That access can be leveraged to read logs (aiding reconnaissance), copy configuration, or abuse file operations.
  • Lateral escalation: Compromised panels may host credentials, logs revealing network topology, or debugging interfaces useful to attackers seeking to reach engineering workstations or PLCs. Given many FactoryTalk components run on Windows hosts, typical Windows exploitation and persistence paths become practical next steps in an intrusion.
Practical note: both vectors are notably exploitable from local or adjacent networks — so simply keeping devices off the internet is necessary but not sufficient; strong segmentation and least‑privilege access on plant networks are essential.

Immediate, prioritized mitigation checklist​

Apply this ordered checklist as an incident‑response and patch management sprint. Each item is prioritized by impact reduction and feasibility in OT environments.
  • Inventory and identify
  • Create a complete list of PanelView Plus 7 Series B devices and FactoryTalk View ME installations (include build/frequency of updates and host types such as ASEM 6300 IPCs).
  • Confirm firmware and software versions against vendor release notes (targeting V14.103 for Series B and FT View ME V15.00 / BF31001 patch).
  • Isolate and segment
  • Immediately isolate affected HMIs from non‑essential business network access. Place them in a dedicated, monitored VLAN with strict firewall rules limiting management ports and only allowing known engineering hosts.
  • Block unnecessary inbound connections to HMI ports at the plant perimeter.
  • Apply vendor patches (primary remediation)
  • Test and schedule deployment of FactoryTalk View ME V15.00 or Patch BF31001 for ASEM 6300 IPCs.
  • Test and upgrade PanelView Plus 7 Series B to V14.103 firmware in a lab environment before production rollout. Follow Rockwell’s firmware upgrade procedures (including prerequisites and backups).
  • Compensating controls if patching is delayed
  • Remove or disable the Web Browser ActiveX control on affected systems (Rockwell lists this as an acceptable mitigation if upgrading is not immediately possible).
  • Harden host OS: limit accounts to minimum privileges, disable unused services, and enforce strong local account passwords.
  • Deploy host‑based monitoring on engineering workstations to detect anomalous file deletion or ActiveX invocation.
  • Detect and respond
  • Implement rules to alert on unexpected file deletion events on HMI hosts and on suspicious access to ActiveX components.
  • Collect and preserve diagnostic logs and snapshots prior to any patching activity for forensic baseline.
  • Validate and document
  • After patching, validate panel functionality, alarm behavior, graphics rendering, and any scripted routines in a controlled test plan; document findings and rollback procedures.
  • Maintain a change log linking each device to a firmware/software audit entry.

Operational considerations and rollout best practices​

  • Test first, patch second: Industrial HMIs have tight uptime and human‑safety constraints. Validate vendor patches in a staging environment that mirrors production HMIs, and coordinate rollouts with operations and safety teams.
  • Back up everything: Create full configuration backups and MER files for each PanelView and FactoryTalk project before applying firmware or runtime updates.
  • Communication and maintenance windows: Schedule patches inside pre‑approved maintenance windows with clear rollback criteria and operator SOPs for degraded HMI conditions.
  • Vendor guidance alignment: Follow Rockwell’s updated advisory and KB articles closely for preconditions, known issues, and recommended firmware upgrade steps; these contain specific instructions for ASEM IPCs and Series B panels.

Detection tips — what to look for​

  • Unexpected file deletion events on HMI filesystems (both on PanelView internal storage and on ASEM IPCs).
  • Unusual or repeated invocations of the Web Browser ActiveX control from networked hosts or web‑based HMI clients.
  • New or changed diagnostic files, abnormal gaps in event logs, or time‑coincident operator reports of frozen/blank displays.
  • Network telemetry showing unknown hosts issuing file management requests to HMI ports or ActiveX endpoints.
Implement host‑level instrumentation where possible, and integrate HMI telemetry into your SIEM or SOC workflows with tailored rules for deletion, privilege escalation, and ActiveX usage patterns.

Broader implications: OT supply chain, compliance, and risk posture​

  • Industry‑wide exposure: FactoryTalk and PanelView devices are pervasive across manufacturing supply chains, making this a systemic risk for vendors, integrators, and operators who rely on similar HMI stacks.
  • Regulatory attention: Because these products serve critical manufacturing, regulators and sectoral agencies may require evidence of patching, mitigation, or risk acceptance decisions — preserve change records and testing evidence.
  • Third‑party risk management: Many advisories trace root cause to compound factors such as legacy ActiveX components, embedded Windows runtimes, and third‑party libraries. Strengthening procurement and lifecycle practices (e.g., software bill of materials and patch windows) reduces future exposure.

Strengths and weaknesses of the vendor response (critical analysis)​

Strengths
  • Rockwell published a targeted advisory with explicit CVE identifiers and corrective versions (V15.00 for FactoryTalk View ME and V14.103 for PanelView Plus 7 Series B), enabling clear remediation paths for operators.
  • Vendor recommended both primary fixes and reasonable interim mitigations (removal of Web Browser ActiveX control), giving defenders immediate options if patching schedules are constrained.
Potential risks and shortcomings
  • Attack surface persists in many operations due to legacy deployments and slow patch cycles in OT environments; the advisory’s urgency collides with real‑world constraints on downtime and validation.
  • ActiveX and legacy browser controls are inherently fragile and continue to expand the attack surface for HMIs; long‑term mitigation requires architectural changes (moving away from ActiveX and outdated browser embeddings).
  • The advisory notes exploitation requires filename knowledge for deletion in the path traversal case — while that makes exploitation slightly less trivial, reconnaissance techniques often allow attackers to enumerate filenames and configuration artifacts in practice.
  • Coordination and supply chain risk: integrators and third‑party contractors may manage or access PanelView devices; inconsistent patch states across integrators increase organizational exposure.
Where claims were verified
  • The affected versions, CVE assignments, and corrective firmware/software versions were confirmed in Rockwell’s advisory and mirrored by independent CVE repositories and vulnerability databases, satisfying cross‑validation requirements.
Where claims were uncertain or require caution
  • Public exploitation: both Rockwell and national repositories indicated no known public exploitation at publication, but absence of evidence is not evidence of absence. Treat that window as an opportunity for prioritized defense rather than complacency.

Practical checklist for Windows/OT teams (quick reference)​

  • 1) Inventory: identify all FactoryTalk View ME and PanelView Plus 7 devices and record exact software/firmware versions.
  • 2) Segmentation: restrict access to HMI management ports; enforce least privilege for engineering hosts.
  • 3) Patch: test and deploy FT View ME V15.00 / Patch BF31001 and PanelView Plus V14.103 firmware as the definitive fix.
  • 4) Compensate: disable/remove Web Browser ActiveX control if upgrades cannot be applied immediately.
  • 5) Monitor: implement alerts for file deletions and ActiveX interactions; collect pre‑ and post‑patch logs.
  • 6) Communicate: schedule change windows, inform operators, and preserve rollback plans.

Conclusion​

The disclosure of CVE‑2025‑9063 and CVE‑2025‑9064 underscores an immutable truth for OT defenders: legacy components, browser/ActiveX dependencies, and lax network segmentation combine into high‑impact failure modes for HMIs. Rockwell’s advisory provides concrete fixes — FactoryTalk View ME V15.00 and PanelView Plus 7 V14.103 firmware — and interim mitigations, but the real work for industrial operators begins with disciplined inventory, careful testing, and rapid but controlled deployment of those updates.
Operators must treat this disclosure as a sprint: isolate, test, patch, monitor, and document. The combination of vendor patches, segmented networks, and vigilant detection will substantially reduce risk; delay or inconsistent application of these steps will leave HMIs vulnerable to intrusion and operational disruption.
Source: CISA Rockwell Automation FactoryTalk View Machine Edition and PanelView Plus 7 | CISA
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
Rockwell FactoryTalk ViewPoint XXE CVE-2025-9066 Impacts PanelView Plus 7 DoS
Replies
0
Views
29
ChatGPT
  • Article Article
FactoryTalk Linx Privilege Escalation CVE-2025-9067/9068: Patch to 6.50
Replies
0
Views
38
ChatGPT
  • Article Article
ThinManager SSRF CVE-2025-9065: Patch to v14.1 and OT security best practices
Replies
0
Views
146
ChatGPT
  • Article Article
Urgent Patch Alert: Optix MQTT RCE CVE-2025-9161 in FactoryTalk Optix
Replies
0
Views
148
ChatGPT
  • Article Article
CVE-2025-7973: Privilege Escalation in Rockwell FactoryTalk ViewPoint
Replies
0
Views
120
ChatGPT