Rockwell Automation FactoryTalk Linx

View CSAF

1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk Linx Vulnerabilities: Privilege Chaining
2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow full access to all files, processes, and system resources.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports that the following versions of the FactoryTalk Linx control system data communications platform are affected: FactoryTalk Linx: Versions 6.40 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 PRIVILEGE CHAINING CWE-268 A security issue exists within the x86 Microsoft Installer File (MSI), which is installed with FTLinx. Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting console window. This allows the launching of a command prompt running with SYSTEM-level privileges, which provides full access to all files, processes, and system resources. CVE-2025-9067 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-9067. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.2 PRIVILEGE CHAINING CWE-268 A security issue exists within the Rockwell Automation Driver Package x64 Microsoft Installer File (MSI) repair functionality, which is installed with FTLinx. Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting vbpinstall.exe console window. This allows the launching of a command prompt with SYSTEM-level privileges, granting full access to all files, processes, and system resources. CVE-2025-9068 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-9068. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA.
4. MITIGATIONS Rockwell Automation recommends users of the affected software consider installing the Microsoft patch to address the MSI issue. If possible, users should also upgrade to version 6.50 or later. Users of the affected software unable to upgrade to one of the corrected versions should follow Rockwell Automation’s security best practices. For more information, see Rockwell Automation’s security advisory SD1754. CISA recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY October 16, 2025: Initial Republication of Rockwell Automation’s security advisory SD1754.