CVE-2025-14272

Vulnerability

A missing authorization vulnerability (CWE-862) exists in the API endpoints of Rockwell Automation FactoryTalk Analytics PavilionX version 7.00. The affected software fails to enforce proper authorization checks on certain API endpoints, allowing requests that should require administrative privileges to be processed without verification. This affects catalog numbers 9529-PV8DBENE, 95055-PV8BASET1T, and 95055-PV8BASET1TPE running version 7.00 [1].

Exploitation

An attacker with network access to the PavilionX API endpoints can directly send crafted requests to privileged operations without any authentication or prior authorization. No user interaction or special network position beyond reachability of the API is required. The attacker simply needs to identify the unprotected administrative endpoints and issue HTTP requests to them [1].

Impact

Successful exploitation allows an unauthorized actor to execute privileged operations, including user/role management and other administrative actions. This can lead to complete compromise of the application's security controls, enabling the attacker to modify user accounts, change roles, and perform other administrative functions that could disrupt industrial process optimization activities [1].

Mitigation

Rockwell Automation has released version 7.01 of FactoryTalk Analytics PavilionX which corrects the vulnerability. The vendor recommends customers upgrade to version 7.01. For those unable to upgrade immediately, the vendor advises following security best practices, though no specific workaround is provided. This CVE is not listed in the Known Exploited Vulnerabilities catalog [1].