Rockwell warns PavilionX flaw lets attackers manage roles
An unauthenticated path to user and role management is not a dashboard bug; it is the administrative door left unlocked.
TL;DR
CISA republished Rockwell Automation advisory SD1777 for CVE-2025-14272, a missing authorization flaw in FactoryTalk Analytics PavilionX versions before 7.01. The high-severity issue scores 7.0 under CVSS 3.1 and 8.3 under CVSS 4.0, and can let unauthenticated remote attackers execute privileged operations, including user and role management. Critical manufacturing sites, including defense-industrial-base contractors and their MSP or C3PAO support teams, should move to 7.01 or later.
CISA says Rockwell Automation FactoryTalk Analytics PavilionX versions earlier than 7.01 contain a missing authorization flaw in API endpoints that can let an unauthorized actor perform privileged operations, including user and role management. Rockwell reported the issue and recommends updating to PavilionX 7.01 or later. CISA says the product is deployed worldwide in the critical manufacturing sector, and it has not received reports of known public exploitation targeting this vulnerability.
The practical risk is straightforward: if PavilionX helps run or analyze production environments, unauthorized administrative actions are not a nuisance condition. They are a persistence and disruption problem. Defense-industrial-base manufacturers, contractors, managed service providers and C3PAOs with visibility into operational technology inventories should identify pre-7.01 PavilionX deployments, confirm whether the upgrade requires production downtime, and apply CISA’s familiar controls while scheduling the fix: reduce network exposure, keep control systems off the internet, isolate OT networks from business networks, and treat remote access as another system that has to be patched, not a magic exception.
Published ·Deep Fathom