Cyber Resilience

CVE-2025-0497

High

Published: 30 January 2025

Published
30 January 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0497 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rockwellautomation Factorytalk Assetcentre. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-0497 is a data exposure vulnerability affecting all versions prior to V15.00.001 of Rockwell Automation FactoryTalk AssetCentre. The issue stems from credentials being stored in plaintext within the configuration files of the EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages, mapped to CWE-522 (Insufficiently Protected Credentials). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to high impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected system, requiring low complexity and no user interaction. By accessing the exposed configuration files, an attacker can retrieve stored credentials, enabling potential unauthorized access to FactoryTalk AssetCentre functions or related systems, with severe consequences for confidentiality, integrity, and availability as scored.

Mitigation details are provided in the Rockwell Automation security advisory at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1721.html, published on 2025-01-30.

EU & UK References

Vulnerability details

A data exposure vulnerability exists in all versions prior to V15.00.001 of Rockwell Automation FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Plaintext credentials in accessible config files directly enable T1552.001 (Credentials In Files); retrieved creds then facilitate T1078 (Valid Accounts) for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0477Same product: Rockwellautomation Factorytalk Assetcentre
CVE-2025-0498Same product: Rockwellautomation Factorytalk Assetcentre
CVE-2025-7972Same vendor: Rockwellautomation
CVE-2025-9278Same vendor: Rockwellautomation
CVE-2025-9279Same vendor: Rockwellautomation
CVE-2025-9064Same vendor: Rockwellautomation
CVE-2025-9464Same vendor: Rockwellautomation
CVE-2025-9280Same vendor: Rockwellautomation
CVE-2025-9161Same vendor: Rockwellautomation
CVE-2025-9465Same vendor: Rockwellautomation

Affected Assets

rockwellautomation
factorytalk assetcentre
≤ 15.00.01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires protecting the storage of authenticators such as credentials commensurate with their sensitivity, directly addressing plaintext storage in configuration files.

prevent

SC-28 mandates cryptographic protection for confidential information at rest, preventing exposure of credentials stored in configuration files.

prevent

AC-3 enforces approved access authorizations to system resources including configuration files, blocking unauthenticated attackers from retrieving exposed credentials.

References