Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
CVE
|
Affected Software Version
|
Corrected in Software Version
|
FactoryTalk Viewpoint
|
CVE-2025-7973
|
Version 14.00 or below
|
15.00
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-7973 IMPACT
A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-268: Privilege Chaining
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
MSI: Microsoft Installer (MSI) file is a package format used for installing, maintaining, and removing software on Windows systems.
Cscript.exe: command-line utility in Windows used to run scripts written in VBScript or JScript.
SYSTEM Privileges: SYSTEM privileges refer to the highest level of access on a Windows machine, allowing full control over all system resources and processes.
