1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Low attack complexity
- Vendor: Rockwell Automation
- Equipment: FactoryTalk
- Vulnerabilities: Incorrect Authorization, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute code on the device with elevated privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation FactoryTalk View ME are affected:
- FactoryTalk View ME: All versions prior to 15.0
3.2 VULNERABILITY OVERVIEW
3.2.1 Incorrect Authorization CWE-863
A local code execution vulnerability exists in in Rockwell Automation FactoryTalk products on all versions prior to version 15.0. The vulnerability is due to a default setting in Windows and allows access to the command prompt as a higher privileged user.
CVE-2025-24479 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-24479. A base score of 8.6 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: