CISA Warns of Missing Authorization Flaw in Rockwell Automation FactoryTalk Analytics PavilionX
CISA disclosed CVE-2025-14272, a missing authorization vulnerability in Rockwell Automation FactoryTalk Analytics PavilionX that could allow unauthenticated attackers to execute privileged operations.
CISA has disclosed a critical missing authorization vulnerability in Rockwell Automation's FactoryTalk Analytics PavilionX, tracked as CVE-2025-14272. The flaw affects versions prior to 7.01 and carries a CVSS v3.1 base score of 7.0 (HIGH) and a CVSS v4.0 score of 8.3 (HIGH). Successful exploitation could allow an unauthenticated attacker to execute privileged operations, including user and role management and other administrative actions, via improper authorization enforcement in API endpoints.
The vulnerability stems from improper authorization enforcement in API endpoints, specifically categorized under CWE-862 Missing Authorization. An attacker with network access could exploit the high-complexity flaw to gain unauthorized administrative control over affected systems. The product is deployed worldwide across the Critical Manufacturing sector, with Rockwell Automation headquartered in the United States.
Rockwell Automation has released version 7.01 of FactoryTalk Analytics PavilionX to address the vulnerability. The update is available for download from the Rockwell Automation Download Center. The company also published advisory SD1777 with additional mitigation guidance. CISA recommends users minimize network exposure for all control system devices, ensuring they are not accessible from the internet, and to locate control system networks behind firewalls isolated from business networks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. The advisory notes that the attack complexity is high, which may reduce the immediate risk of widespread exploitation. However, the potential impact on critical manufacturing infrastructure makes timely patching essential.
This disclosure follows a pattern of CISA advisories addressing vulnerabilities in industrial control systems (ICS) from major vendors. Rockwell Automation products are widely used in critical infrastructure, making security flaws in their software particularly concerning. Organizations using FactoryTalk Analytics PavilionX should prioritize updating to version 7.01 or later and implement the recommended defensive measures to protect against potential attacks.