Rockwell Automation has disclosed two significant vulnerabilities in FactoryTalk View Machine Edition (View ME), a widely deployed HMI platform used on PanelView Plus terminals and other embedded operator interface devices across industrial and critical infrastructure environments. The vulnerabilities are tracked as CVE-2025-24479 (CVSS v3.1 8.4) and CVE-2025-24480 (CVSS v3.1 9.8), and both affect all versions of FactoryTalk View ME prior to V15.0. Rockwell Automation published patches in January 2025 alongside V15.0 as the comprehensive remediation path, and CISA has issued a corresponding ICS advisory (ICSA-25-028-03).
CVE-2025-24479 (CVSS v3.1 8.4, CVSS v4.0 8.6) is a local code execution vulnerability rooted in an incorrect authorization condition (CWE-863) caused by a default Windows configuration that enables access to an elevated command prompt on the affected device. CVE-2025-24480 (CVSS v3.1 9.8, CVSS v4.0 9.3) is a critical-severity remote code execution vulnerability arising from a lack of input sanitization (CWE-78, OS Command Injection; CWE-22, Path Traversal) that allows an unauthenticated remote attacker to execute arbitrary commands with elevated privileges on the FactoryTalk View ME host. The combination of a locally exploitable privilege escalation and a remotely exploitable unauthenticated code execution vulnerability on the same platform represents a serious compounded risk for any organization running unpatched View ME installations.
Neither vulnerability has been publicly exploited or added to CISA's Known Exploited Vulnerabilities catalog at the time of this writing. However, the critical network-accessible nature of CVE-2025-24480 — requiring no authentication and no user interaction — places it among the highest-priority vulnerabilities in the FactoryTalk ecosystem and warrants urgent attention from any organization with FactoryTalk View ME deployed on a network-connected device. Organizations should prioritize upgrading to V15.0 or applying the available patches within their next scheduled maintenance window.
CVE-2025-24479, with a CVSS v3.1 score of 8.4 (High) and a CVSS v4.0 score of 8.6, is classified under CWE-863 (Incorrect Authorization). The vulnerability stems from a default Windows operating system setting on the FactoryTalk View ME host that permits an operator or other local user to access an elevated command prompt, effectively granting the ability to execute operating system commands at a higher privilege level than the user's assigned role would ordinarily allow. While the attack requires physical or local access to the View ME terminal, HMI devices in OT environments are frequently accessible to a broad population of operators, contractors, and maintenance personnel, and many lack screen-lock or session-timeout protections that would limit exposure. Successful exploitation enables an attacker to run arbitrary commands as a privileged user on the device, potentially disrupting the HMI application, modifying system configuration, or using the elevated access as a foothold for further compromise of connected OT assets. All versions of FactoryTalk View ME prior to V15.0 are affected; V15.0 resolves the vulnerability, and Rockwell Answer ID 1152309 provides a targeted patch for V12, V13, and V14 installations.
CVE-2025-24480, with a CVSS v3.1 score of 9.8 (Critical) and a CVSS v4.0 score of 9.3, is classified under CWE-78 (Improper Neutralization of Special Elements Used in an OS Command — OS Command Injection) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory — Path Traversal). The root cause is a failure to sanitize user-supplied input before it is passed to the underlying operating system, allowing an unauthenticated remote attacker to inject arbitrary OS commands or traverse directory boundaries and execute code in the context of the FactoryTalk View ME process, which runs with elevated privileges. No authentication, no user interaction, and no special network position are required to exploit this vulnerability — only network reachability to the affected device is sufficient. In industrial environments where FactoryTalk View ME terminals are accessible from engineering workstations or OT management networks, this makes CVE-2025-24480 a highly attractive initial access vector for both opportunistic attackers and targeted campaigns. All versions prior to V15.0 are affected; V15.0 resolves the issue, and Rockwell Answer ID 1152571 provides a patch for V12, V13, and V14.
FactoryTalk View ME is the operator-facing interface through which personnel monitor and control industrial processes on PanelView Plus and similar HMI terminals. Successful remote exploitation of CVE-2025-24480 would grant an attacker arbitrary command execution with elevated privileges on the HMI device — enabling process interference, unauthorized setpoint modifications, alarm suppression, or complete compromise of the operator interface. Given that View ME terminals are typically hardwired to PLCs and field devices via EtherNet/IP or serial communication, a compromised HMI represents a trusted vantage point from which an adversary can issue commands directly to process control equipment, potentially causing equipment damage, production disruption, or unsafe operating conditions. The local privilege escalation enabled by CVE-2025-24479 compounds this risk in facilities where multiple personnel share physical access to HMI terminals.
From a compliance and governance perspective, these vulnerabilities create meaningful exposure under NERC CIP, IEC 62443, and NIST SP 800-82. HMI terminals communicating with bulk electric system assets fall within the NERC CIP Electronic Security Perimeter; an unauthenticated remote code execution vulnerability with a CVSS score of 9.8 on such a device is inconsistent with CIP-007 system security management requirements and likely triggers patch management obligations with defined remediation timelines. IEC 62443 and NIST SP 800-82 both require prompt remediation of critical severity vulnerabilities on OT devices, and the availability of Rockwell-issued patches and the CISA advisory ICSA-25-028-03 means organizations will be expected to demonstrate a documented response and remediation plan.
To mitigate the identified risks, clients should consider the following actions:
1. Upgrade FactoryTalk View Machine Edition to V15.0 or later, which addresses both CVE-2025-24479 and CVE-2025-24480. For installations running V12, V13, or V14 that cannot immediately upgrade, apply Rockwell Answer ID 1152309 (for CVE-2025-24479) and Answer ID 1152571 (for CVE-2025-24480) as interim patches.
2. Implement network access controls to restrict reachability of FactoryTalk View ME devices to only the minimum required network hosts, eliminating or blocking network paths from untrusted segments that an attacker could use to exploit the unauthenticated CVE-2025-24480 remotely.
3. Enforce strict physical access controls on all FactoryTalk View ME terminals, including screen-locking, session timeouts, and restrictions on who may physically operate the device, to reduce the population of individuals capable of exploiting the local privilege escalation in CVE-2025-24479.
4. Strictly constrain any input parameters passed to FactoryTalk View ME application functions as a compensating control for CVE-2025-24480 on systems awaiting patching, and review Rockwell's published security best practices documentation for additional hardening guidance specific to View ME deployments.
5. Inventory all FactoryTalk View ME devices across the environment, confirm current version and patch status for each, and review OT monitoring platform alerts for any anomalous command execution or unexpected network connections from these devices that could indicate pre-patch exploitation.
By taking these steps, organizations can significantly reduce their exposure to these vulnerabilities and enhance their overall security posture.
1898 & Co. monitors Rockwell Automation security disclosures and CISA ICS advisories on an ongoing basis to identify vulnerabilities affecting operator interface and SCADA platforms deployed across our clients' industrial environments. Upon identification of the SD1719 advisory and its two CVEs, our security teams prioritized assessment of FactoryTalk View ME installations within client environments, with particular focus on devices with network exposure that would be reachable by CVE-2025-24480 without authentication. We provide OT-specific patch management services designed to align with industrial maintenance schedules, ensuring that remediation does not introduce unplanned downtime while still meeting the urgency that critical-severity vulnerabilities demand.
Our industrial cybersecurity practice brings deep familiarity with Rockwell Automation's FactoryTalk platform, including View ME deployments on PanelView Plus devices and their integration with Logix-based control systems. We conduct HMI security assessments that evaluate device hardening, network segmentation, and input validation posture against the attack vectors illustrated by CVE-2025-24479 and CVE-2025-24480. Our continuous monitoring capabilities extend to OT endpoints, enabling detection of anomalous command execution and unexpected network behavior on HMI devices in environments where endpoint telemetry is available.
1898 & Co. has a well-established track record of assisting critical infrastructure operators in addressing critical and high-severity vulnerabilities in industrial HMI platforms, from initial triage through patch verification and post-remediation hardening. Clients with FactoryTalk View ME deployments are encouraged to contact our team to confirm patch status, assess network exposure, and evaluate whether current compensating controls are sufficient for devices that cannot be immediately patched.
1. Rockwell Automation Security Advisory SD1719 — FactoryTalk View Machine Edition
2. CISA ICS Advisory ICSA-25-028-03 — Rockwell Automation FactoryTalk