CVE-2025-0497
Published: 30 January 2025
Summary
CVE-2025-0497 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rockwellautomation Factorytalk Assetcentre. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires protecting the storage of authenticators such as credentials commensurate with their sensitivity, directly addressing plaintext storage in configuration files.
SC-28 mandates cryptographic protection for confidential information at rest, preventing exposure of credentials stored in configuration files.
AC-3 enforces approved access authorizations to system resources including configuration files, blocking unauthenticated attackers from retrieving exposed credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Plaintext credentials in accessible config files directly enable T1552.001 (Credentials In Files); retrieved creds then facilitate T1078 (Valid Accounts) for unauthorized access.
NVD Description
A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.
Deeper analysisAI
CVE-2025-0497 is a data exposure vulnerability affecting all versions prior to V15.00.001 of Rockwell Automation FactoryTalk AssetCentre. The issue stems from credentials being stored in plaintext within the configuration files of the EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages, mapped to CWE-522 (Insufficiently Protected Credentials). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to high impacts across confidentiality, integrity, and availability.
The vulnerability can be exploited by any unauthenticated attacker with network access to the affected system, requiring low complexity and no user interaction. By accessing the exposed configuration files, an attacker can retrieve stored credentials, enabling potential unauthorized access to FactoryTalk AssetCentre functions or related systems, with severe consequences for confidentiality, integrity, and availability as scored.
Mitigation details are provided in the Rockwell Automation security advisory at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1721.html, published on 2025-01-30.
Details
- CWE(s)