CVE-2025-0477
Published: 30 January 2025
Summary
CVE-2025-0477 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rockwellautomation Factorytalk Assetcentre. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-13 (Cryptographic Protection).
Deeper analysis
An encryption vulnerability affects all versions of Rockwell Automation FactoryTalk AssetCentre prior to V15.00.001. It stems from use of a weak encryption methodology, which is tracked as CWE-522 and enables extraction of passwords that belong to other application users. The issue carries a CVSS 4.0 score of 9.3 with a network attack vector and no required privileges or user interaction.
A remote unauthenticated attacker can exploit the flaw to obtain credentials stored by other users, thereby gaining unauthorized access that may lead to full compromise of confidentiality, integrity, and availability within the affected system.
The vendor advisory published by Rockwell Automation directs customers to upgrade to version V15.00.001 to address the weakness. The associated EPSS score remains low, with a current value of 0.0143 and a peak of 0.0173.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1701
Vulnerability details
An encryption vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak encryption (CWE-522) directly enables extraction of other users' passwords (T1552 Unsecured Credentials); extracted credentials then facilitate unauthorized access via valid accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and correction of flaws like the weak encryption vulnerability through patching to V15.00.001 or later.
Requires implementation of approved cryptographic mechanisms to protect sensitive data such as stored passwords, directly countering the weak encryption methodology.
Ensures secure management and protection of authenticators including passwords, preventing storage with weak encryption that allows extraction.