SD1753 | Security Advisory | Rockwell Automation

Severity:

High

Advisory ID:

SD1753

Published Date:

October 14, 2025

Last Updated:

October 14, 2025

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Corrected:

Yes

Workaround:

Yes

CVE IDs

CVE-2025-9064,

CVE-2025-9063

Downloads

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

JSON

Summary

FactoryTalk View Machine Edition and PanelView Plus 7 Vulnerabilities

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk View Machine Edition is a versatile, machine-level HMI software that enables intuitive design, monitoring, and control of operator interfaces with superior graphics, runtime management, and scalable deployment across PanelView Plus and PC-based platforms

Affected products and solution

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Affected Catalog Numbers

FactoryTalk View Machine Edition

CVE-2025-9064

FactoryTalk View ME versions earlier than V15.00

-FactoryTalk View ME V15.00 and later on ASEM 6300 IPC’s

-Patch BF31001

-PanelView Plus 7 Performance Series B V14.103 firmware package

9701M-VWSTNMT

PanelView Plus 7 Performance Series B

CVE-2025-9063

PanelView Plus 7 Performance Series B V14.100

-PanelView Plus 7 Performance Series B V14.103 firmware package

9701M-VWSTNMT

Security Issue Details

Category	Details
CVE ID	CVE-2025-9064
Impact	A path traversal security issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file within the panels operating system. Exploitation of this vulnerability is dependent on the knowledge of filenames to be deleted.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-9063
Impact	An authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView Plus 7 Series B, including access to the file system, retrieval of diagnostic information, event logs, and more.
CVSS 3.1 Base Score	7.3/10
CVSS 4.0 Base Score	7.0/10
CWEs	CWE-285: Improper Authorization
Known Exploited Vulnerability	No (Not listed in KEV database)
Alternate Mitigation	If updating to the latest software version is not possible, it is recommended to remove the Web Browser ActiveX Control.

Glossary

· HMI: (Human-Machine Interface) Used for industrial automation, serving as the vital link between human operators and the technology they use

· ASEM IPC: line of industrial PCs designed for various applications in manufacturing and automation

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	October 14,, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.