Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
CVE
|
Affected Software Versions
|
Corrected in Software Version
|
FactoryTalk® Action Manager
|
CVE-2025-9036
|
1.0.0
|
1.01
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-9036 IMPACT
A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: Exposure of Sensitive Information to an Unauthorized Actor
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
API: (Application Programming Interface) is a set of protocols and tools that allow different software applications to communicate with each other
WebSocket: protocol used for communication between a client and a server over a single connection
