FactoryTalk® Linx Privilege Escalation Vulnerabilities
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.
Product Description
FactoryTalk Linx is a modern, secure communications platform that delivers real-time control system data from Allen-Bradley devices to FactoryTalk and third-party software, optimized for Logix 5000 controllers and scalable from small setups to large distributed systems.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
FactoryTalk Linx |
CVE-2025-9067 |
6.40 and prior |
6.50 and later |
FactoryTalk Linx |
CVE-2025-9068 |
6.40 and prior |
6.50 and later |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-9067 |
Impact |
A security issue exists within the x86 Microsoft Installer File (MSI), installed with FTLinx. Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting console window. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Category |
Details |
CVE ID |
CVE-2025-9068 |
Impact |
A security issue exists within the Rockwell Automation Driver Package x64 Microsoft Installer File (MSI) repair functionality, installed with FTLinx. Authenticated attackers with valid Windows Users credentials can initiate a repair and hijack the resulting console window for vbpinstall.exe. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Mitigations and Workarounds
Customers using the affected software should consider installing the Microsoft patch to address the MSI issue and upgrade to version 6.50 or later if possible. Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
October 14, 2025 |
Initial release |
Glossary
· MSI: Windows Installer package used to install, update, or remove software on Windows Systems
· SYSTEM-level privileges: access or execution rights equivalent to the Windows operating system's highest authority, allowing full control over all processes, files, and configurations.
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
· Subscribe to product security alerts
· Review the current list of Rockwell Automation security advisories
· Report a possible security issue in a Rockwell Automation product
· Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
