Rockwell Automation has disclosed two high-severity vulnerabilities in FactoryTalk View Site Edition (View SE), a widely deployed SCADA human-machine interface (HMI) platform used across industrial and critical infrastructure environments. Tracked as CVE-2025-24481 (CVSS v3.1 7.3) and CVE-2025-24482 (CVSS v3.1 7.3), both vulnerabilities affect all versions of FactoryTalk View SE prior to V15.0 and stem from misconfigured permissions that allow local attackers to access system configuration without authentication or execute code with elevated privileges. Rockwell Automation has addressed both vulnerabilities through a combination of the V15.0 release and legacy version patches published in January 2025. CISA has issued a corresponding ICS advisory (ICSA-25-028-04).
CVE-2025-24481 (CVSS v3.1 7.3, CVSS v4.0 7.0) arises from incorrect permissions assigned to the FactoryTalk View SE remote debugger port (TCP 8091), exposing system configuration functionality to unauthenticated local access. CVE-2025-24482 (CVSS v3.1 7.3, CVSS v4.0 7.0) is a local code injection vulnerability rooted in incorrect default directory permissions, which allow an attacker to place malicious DLL files in paths the application searches at runtime, causing those DLLs to execute with the elevated privileges of the FactoryTalk View SE process. Together, these two flaws create a compounding local attack surface on any FactoryTalk View SE workstation that has not been upgraded or patched.
Neither vulnerability has been publicly exploited or added to CISA's Known Exploited Vulnerabilities catalog at the time of this writing, and both require local access to the affected workstation to exploit. Despite these constraints, HMI workstations in OT environments are frequently targeted by insider threats and by adversaries who have achieved an initial foothold via IT-to-OT lateral movement. Organizations running FactoryTalk View SE on any version prior to V15.0 should prioritize patch application within the next available maintenance window and implement the compensating controls described in this advisory.
CVE-2025-24481, with a CVSS v3.1 score of 7.3 (High) and a CVSS v4.0 score of 7.0, is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). The vulnerability exists because FactoryTalk View SE assigns overly permissive access controls to the remote debugger port — TCP port 8091 — used by the application during runtime. As a result, a local attacker without valid application credentials can connect to this port and interact directly with the system configuration interface, potentially reading or modifying application settings, project files, or runtime parameters that would normally require authenticated administrative access. The attack requires no special privileges or user interaction beyond local access to the workstation, making it particularly relevant in scenarios involving shared engineering workstations, remote desktop sessions with inadequate access controls, or insider threat actors with physical access. All versions of FactoryTalk View SE prior to V15.0 are affected; the vulnerability is resolved in V15.0 and, for V14 installations, via the patch documented under Rockwell Answer ID 1152306.
CVE-2025-24482, with a CVSS v3.1 score of 7.3 (High) and a CVSS v4.0 score of 7.0, is classified under CWE-94 (Improper Control of Generation of Code) and represents a local DLL hijacking vulnerability. The root cause is incorrect default permissions applied to directories in the Windows PATH environment variable that FactoryTalk View SE searches when loading Dynamic Link Libraries at runtime. An attacker who can write to one of these directories — a capability enabled by the misconfigured permissions — can place a malicious DLL with the same name as a legitimate library expected by the application, causing FactoryTalk View SE to load and execute the attacker-controlled code with the elevated privileges of the service or process. Successful exploitation can result in arbitrary code execution with higher-level system privileges, enabling privilege escalation, persistence, or further compromise of the HMI host. The vulnerability affects all FactoryTalk View SE versions prior to V15.0; V15.0 resolves it, and patches for V12, V13, and V14 are available under Rockwell Answer ID 1152304. The documented workaround — ensuring the Rockwell installation directory (C:\Program Files (x86)\Common Files\Rockwell) appears before all other entries in the system PATH variable — mitigates the DLL search order vulnerability on systems that cannot be immediately patched.
FactoryTalk View SE serves as the primary operator interface in many industrial automation environments, providing real-time visibility into production processes and direct interaction with field devices. A successful exploitation of CVE-2025-24481 or CVE-2025-24482 on an HMI workstation running FactoryTalk View SE could grant an attacker unauthorized access to SCADA configuration data, operator interfaces, or alarm management systems, with downstream consequences ranging from process disruption and equipment damage to unsafe operating conditions. The local privilege escalation enabled by CVE-2025-24482 is particularly significant in OT environments where engineering workstations are shared resources: an attacker who gains elevated privileges on an HMI host gains a platform from which to move laterally to PLCs, historians, and other connected OT assets, compounding the initial impact well beyond the workstation itself.
From a compliance and governance perspective, these vulnerabilities introduce exposure for organizations operating under NERC CIP, IEC 62443, and NIST SP 800-82. HMI platforms are frequently classified as Electronic Security Perimeter (ESP) assets under NERC CIP, and permissive runtime permissions of the type underlying both CVEs are inconsistent with CIP-007 patch management and system security management requirements. IEC 62443 security levels for SCADA HMIs explicitly require protection against local privilege escalation and unauthorized configuration access. With both patches and the CISA advisory ICSA-25-028-04 in the public record, compliance frameworks and regulators will expect organizations to document their remediation timelines and rationale for any deferral.
To mitigate the identified risks, clients should consider the following actions:
1. Upgrade FactoryTalk View Site Edition to V15.0 or later. This release resolves both CVE-2025-24481 and CVE-2025-24482 and represents the most complete remediation. For environments where V15.0 cannot be deployed immediately, apply Rockwell Answer ID 1152306 (for CVE-2025-24481, V14) and Answer ID 1152304 (for CVE-2025-24482, V12/V13/V14) as interim patches.
2. Block TCP port 8091 at the host-based firewall and at any network firewall or switch access control list governing the FactoryTalk View SE workstation segment, reducing the accessibility of the misconfigured remote debugger port associated with CVE-2025-24481 until the patch is applied.
3. Verify and correct the Windows PATH environment variable on all FactoryTalk View SE workstations to ensure the Rockwell installation directory (C:\Program Files (x86)\Common Files\Rockwell) appears before all other entries, eliminating the DLL search order vulnerability associated with CVE-2025-24482 as a compensating control.
4. Enforce strict physical and logical access controls on FactoryTalk View SE workstations, including locking unattended sessions, restricting USB and removable media use, and limiting accounts that can log on locally or via remote desktop to the minimum necessary for operational roles.
5. Audit file and directory permissions on FactoryTalk View SE installation and shared library directories, review local user account assignments on HMI workstations, and assess whether lateral movement from these hosts to connected OT assets would be possible in the event of a local privilege escalation.
By taking these steps, organizations can significantly reduce their exposure to these vulnerabilities and enhance their overall security posture.
1898 & Co. closely tracks Rockwell Automation security advisories and CISA ICS disclosures affecting HMI platforms and SCADA infrastructure deployed across our clients' critical infrastructure environments. Upon identification of advisory SD1720 and its two associated CVEs, our team assessed FactoryTalk View SE deployments within client environments, identified unpatched installations, and initiated guidance on patch scheduling and compensating control implementation within the operational constraints of each facility. Our OT patch management services are designed to fit within the narrow maintenance windows that industrial environments require, minimizing operational risk during the remediation process.
Our industrial cybersecurity practice has deep expertise in Rockwell Automation's FactoryTalk platform suite and the network architectures in which FactoryTalk View SE is typically deployed, including air-gapped and DMZ-segmented OT environments. We provide workstation hardening assessments, PATH and permission audits, and HMI security reviews aligned with IEC 62443 and NIST SP 800-82, enabling clients to address not only the specific CVEs disclosed in this advisory but the underlying misconfiguration patterns that give rise to this class of vulnerability. Our continuous monitoring capabilities provide visibility into local privilege escalation attempts and DLL hijacking indicators on OT endpoints in environments where endpoint detection coverage extends to HMI workstations.
1898 & Co. has a proven track record of assisting critical infrastructure operators in responding to local privilege escalation and code injection vulnerabilities in industrial HMI and SCADA platforms. We encourage clients running FactoryTalk View SE to engage our team to confirm patch status, validate PATH remediation, and assess whether HMI workstation hardening is consistent with the access control requirements of their applicable compliance framework.
1. Rockwell Automation Security Advisory SD1720 — FactoryTalk View Site Edition
2. CISA ICS Advisory ICSA-25-028-04 — Rockwell Automation FactoryTalk View Site Edition