Rockwell Automation has disclosed three security vulnerabilities in FactoryTalk AssetCentre, an industrial software platform used for managing and archiving PLC program files, device configurations, and change records across operational technology (OT) environments. The vulnerabilities — tracked as CVE-2025-0477 (CVSS v3.1 9.8), CVE-2025-0497 (CVSS v3.1 7.0), and CVE-2025-0498 (CVSS v3.1 7.8) — expose user credentials and authentication tokens through weak encryption and insecure storage practices. All versions of FactoryTalk AssetCentre prior to V15.00.001 are affected. Rockwell Automation has released version V15.00.001 along with a January 2025 Monthly Patch rollup for legacy versions to address these vulnerabilities, and CISA has published a corresponding ICS advisory (ICSA-25-030-05).
The most critical vulnerability, CVE-2025-0477 with a CVSS v3.1 score of 9.8 and a CVSS v4.0 score of 9.3, stems from an inadequate encryption methodology applied to user passwords stored within the FactoryTalk AssetCentre database, allowing an attacker with database access to recover plaintext credentials for all application users. CVE-2025-0497 with a CVSS v3.1 score of 7.0 and a CVSS v4.0 score of 7.3 compounds this exposure by storing service account credentials in plaintext within configuration files for four AssetCentre utility packages. CVE-2025-0498 with a CVSS v3.1 score of 7.8 and a CVSS v4.0 score of 7.0 completes the credential exposure triad by storing FactoryTalk Security session tokens insecurely, enabling a local attacker to steal a valid token and impersonate any legitimate user without knowing their password.
None of the three vulnerabilities have been publicly exploited or added to CISA's Known Exploited Vulnerabilities catalog at the time of this writing; however, the critical severity of CVE-2025-0477 and the layered credential exposure created collectively by all three vulnerabilities represent a meaningful risk in industrial environments where FactoryTalk AssetCentre serves as a central repository for sensitive OT asset data. Exploitation could provide an adversary with a complete pathway from initial database or file access to full administrative control of the OT management platform. Organizations running FactoryTalk AssetCentre on any version prior to V15.00.001 should treat remediation as an urgent priority and apply available patches within their next available maintenance window.
CVE-2025-0477, with a CVSS v3.1 score of 9.8 (Critical) and a CVSS v4.0 score of 9.3, is classified under CWE-326 (Inadequate Encryption Strength) and represents the most severe vulnerability disclosed in this advisory. The flaw arises from FactoryTalk AssetCentre's use of a weak encryption algorithm to protect user passwords stored in its underlying database. An attacker who has obtained read access to the database — whether through compromised database credentials, a misconfigured access control, or physical access to the server — can exploit this weakness to reverse or decrypt the stored password values and recover plaintext credentials for every application user. Because the attack requires only database-level read access rather than an active authenticated network session, it is well-suited to insider threats and to adversaries who have already established a foothold on the network segment hosting the AssetCentre server. All versions of FactoryTalk AssetCentre prior to V15.00.001 are affected; no workaround short of upgrading or tightly restricting database access eliminates this risk.
CVE-2025-0497, with a CVSS v3.1 score of 7.0 (High) and a CVSS v4.0 score of 7.3, is classified under CWE-522 (Insufficiently Protected Credentials) and exposes service account credentials in plaintext within the configuration files of four FactoryTalk AssetCentre utility packages: EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, and ArchiveLogCleanUp. An attacker with local access to the system hosting these packages — or the ability to read configuration files through a misconfigured file share, backup system, or network share — can extract these credentials without any decryption effort. The exposed service account credentials may grant access to other systems or services within the OT network that share the same account, enabling lateral movement well beyond the AssetCentre platform. FactoryTalk AssetCentre versions V11, V12, and V13 receive targeted patches via the January 2025 Monthly Patch rollup; version V15.00.001 resolves the issue universally.
CVE-2025-0498, with a CVSS v3.1 score of 7.8 (High) and a CVSS v4.0 score of 7.0, is also classified under CWE-522 (Insufficiently Protected Credentials) and addresses the insecure storage of FactoryTalk Security session tokens within the AssetCentre application. Unlike password-based credentials, session tokens represent an active authentication state: an attacker who recovers a valid token can immediately impersonate the associated user without requiring their password, potentially gaining access to sensitive OT asset data, PLC program files, and device configuration archives managed by AssetCentre. The local access requirement constrains opportunistic exploitation, but insider threats and adversaries who have already achieved a foothold on an OT management workstation represent realistic scenarios for exploitation. As with CVE-2025-0497, the January 2025 Monthly Patch rollup addresses this vulnerability for versions V11 through V13, while V15.00.001 resolves it universally.
For organizations operating FactoryTalk AssetCentre as a central repository for OT asset data, the collective impact of these three vulnerabilities is severe. Successful exploitation of CVE-2025-0477 alone could yield plaintext credentials for every AssetCentre user, enabling an adversary to authenticate as engineers, operators, or administrators and access PLC program files, device configuration archives, and historical change records for industrial assets across the facility. Combined with the session token exposure of CVE-2025-0498 and the plaintext service account credentials of CVE-2025-0497, a threat actor could achieve broad lateral movement across the OT network using credentials harvested entirely from a single compromised system. In critical infrastructure sectors such as energy, water, and manufacturing, this level of access could enable unauthorized configuration changes to field devices, sustained undetected presence within the OT environment, or disruption of industrial processes at a time of the attacker's choosing.
From a compliance and governance perspective, these vulnerabilities create direct exposure under frameworks governing OT security and credential protection. NERC CIP standards require protection of electronic access controls for bulk electric system assets; the storage of weakly encrypted or plaintext credentials within a system managing those assets is inconsistent with CIP requirements and may constitute a reportable security gap. IEC 62443 and NIST SP 800-82 similarly mandate protection of authentication credentials and session tokens in industrial control system environments. Organizations subject to NIS2 in Europe may face notification obligations if these vulnerabilities are exploited and result in an incident affecting essential services. With patches available and CISA advisory ICSA-25-030-05 in the public record, regulators will expect documented evidence of remediation timelines and rationale for any deferral.
To mitigate the identified risks, clients should consider the following actions:
1. Upgrade FactoryTalk AssetCentre to version V15.00.001 or later. This release addresses all three vulnerabilities — CVE-2025-0477, CVE-2025-0497, and CVE-2025-0498 — and represents the most complete and durable remediation path.
2. For installations running FactoryTalk AssetCentre V11, V12, or V13 that cannot immediately upgrade to V15.00.001, apply the January 2025 Monthly Patch rollup, which contains targeted patches for CVE-2025-0497 and CVE-2025-0498 on those legacy versions.
3. Restrict database access to the FactoryTalk AssetCentre database to only the minimum required service accounts and administrative users, reducing the population of identities capable of exploiting CVE-2025-0477 prior to or as a compensating control alongside patching.
4. Enforce strict physical and logical access controls to servers and workstations hosting FactoryTalk AssetCentre — particularly those running the EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, and ArchiveLogCleanUp packages — to limit the local access required for CVE-2025-0497 and CVE-2025-0498 exploitation.
5. Following patch application, audit all accounts with access to the AssetCentre database and configuration files, rotate service account credentials, and review FactoryTalk Security token expiration policies to minimize residual exposure from any tokens or credentials that may have been accessible prior to remediation.
By taking these steps, organizations can significantly reduce their exposure to these vulnerabilities and enhance their overall security posture.
1898 & Co. actively monitors Rockwell Automation security bulletins, CISA ICS advisories, and the broader OT threat landscape to identify vulnerabilities affecting our clients' industrial environments. Upon identification of the SD1721 advisory and its three associated CVEs, our security teams assessed client environments running FactoryTalk AssetCentre, prioritized affected installations by version and network exposure, and initiated guidance on patch scheduling within operationally feasible maintenance windows. Our OT security services include patch management programs specifically designed to navigate the operational constraints of industrial environments where unplanned downtime is not acceptable.
Our industrial cybersecurity practice brings deep expertise in Rockwell Automation platforms, including the FactoryTalk software suite, and is well-positioned to assess the credential exposure risk introduced by CVE-2025-0477, CVE-2025-0497, and CVE-2025-0498 within the context of each client's specific OT network architecture. We provide OT-specific vulnerability assessments, network segmentation reviews, and privileged access management consulting to reduce the blast radius of credential-based attacks like those enabled by the vulnerabilities described in this advisory. Our approach is grounded in IEC 62443 and NIST SP 800-82 frameworks, ensuring that mitigations are both technically effective and compliance-aligned.
1898 & Co. has a demonstrated track record of helping critical infrastructure organizations respond to credential and authentication vulnerabilities in industrial control systems, from initial risk assessment through patch verification and post-remediation hardening. We encourage all clients running FactoryTalk AssetCentre to engage our team promptly to review their current version posture, validate patch application, and assess whether compensating controls are sufficient for any installations that cannot be immediately upgraded.
1. Rockwell Automation Security Advisory SD1721 — FactoryTalk AssetCentre
2. CISA ICS Advisory ICSA-25-030-05 — Rockwell Automation FactoryTalk AssetCentre