Rockwell Automation has confirmed a high-severity information disclosure vulnerability in its FactoryTalk Action Manager software that broadcasts reusable API tokens over local WebSocket channels, opening the door for any attacker with local access to intercept and misuse these credentials to manipulate industrial control systems. The vendor is urging customers to update immediately to FactoryTalk Action Manager version 1.01 or later, and the Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory detailing the flaw and defensive measures.
The issue, tracked as CVE-2025-9036 in official advisories, stems from a design decision in the runtime event system of FactoryTalk Action Manager—a component of Rockwell Automation’s FactoryTalk suite used for software management and runtime event handling in industrial environments. According to CISA, an unauthenticated local attacker can connect to a WebSocket endpoint that the product opens and simply listen for the API token that the system broadcasts. Because the token is reusable, capturing it allows subsequent API operations—potentially including configuration changes, state queries, or even commands that alter physical processes—until the token expires or is revoked.
Understanding the Vulnerability
The flaw falls under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. In plain terms, FactoryTalk Action Manager’s runtime event system opens a WebSocket connection that any local process can join without authentication. Once connected, the system periodically transmits an API token that is meant for internal use. However, that token is not scoped to a single session, nor is it protected by mutual TLS or any other encryption mechanism at the WebSocket layer. As a result, a local client—whether an insider’s script, a compromised operator workstation, or malware—can passively capture the token simply by connecting to the socket.
"This is token telemetry in the worst sense," notes one security engineer in a detailed community analysis. "The product essentially shouts its credentials into a room where anyone with a chair and a clipboard can write them down." The analysis points out that the attack complexity is rated low in both CVSS v3.1 and v4, and the impact scores are high across confidentiality, integrity, and availability.
Scope of Deployment and Risk
FactoryTalk components are widely deployed across critical infrastructure sectors worldwide, including chemical, critical manufacturing, energy, food and agriculture, transportation systems, and water/wastewater. CISA’s advisory underscores that the equipment is present globally, with corporate headquarters in the United States. This broad deployment footprint amplifies the potential blast radius should attackers systematically exploit the local token leak.
Although the vulnerability is not remotely exploitable—an attacker must already have local network access or code execution on the host—industrial environments frequently provide such access. Contractors, vendor support tools, USB-based malware, and weak network segmentation between business and operational networks all create local attack surfaces. "Local-only classification may lull teams into complacency," warns the community discussion. "Local access is easier than many defenders expect."
Technical Breakdown: How the Token Leak Works
Rockwell’s FactoryTalk Action Manager operates as a management platform that handles software deployment, monitoring, and runtime event coordination. In versions 1.0.0 through 1.01, the runtime event subsystem initializes a WebSocket server on a local port. The server accepts connections from any process and broadcasts an API token that the management backend uses for subsequent authenticated requests. There is no handshake authentication, no client certificate requirement, and no token scope limitation.
CISA’s advisory provides the following CVSS scores:
- CVSS v3.1: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
- CVSS v4: 8.5 (AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Both metrics confirm that exploitation requires no special privileges and only low complexity, reinforcing the ease with which an attacker can steal the token. The high scores on confidentiality, integrity, and availability impact indicate that a successful token capture can lead to complete compromise of the managed system.
A Note on CVE Number Confusion
Sharp-eyed readers may notice that a popular community forum post references CVE-2025-7532, while the official CISA advisory and Rockwell’s documentation list the identifier as CVE-2025-9036. This discrepancy appears to be a transcription error in the community post. All technical details—affected versions, attack vector, CVSS scores—align perfectly across both sources. For clarity, this article uses the officially assigned CVE-2025-9036.
Impact: A Local Attack with Industrial Consequences
Possession of the reusable API token gives an attacker the ability to invoke management APIs that control the behavior of FactoryTalk Action Manager. That control can extend to other components in the OT environment if the token grants privileges beyond just the manager itself. Potential outcomes include:
- Unauthorized configuration changes that alter process setpoints or safety thresholds.
- Disabling alarms or notifications to mask malicious activity.
- Extraction of sensitive operational data for industrial espionage.
- Pivot points for lateral movement deeper into the control network.
Because industrial control systems (ICS) often rely on deterministic communication and trusted internal APIs, a stolen token can be wielded without triggering many traditional intrusion detection signatures. The token reuse pattern—where identical tokens appear from different source hosts—is one of the few reliable indicators.
Mitigation and Patching: Immediate Steps
Rockwell Automation and CISA recommend the following prioritized actions:
-
Update to FactoryTalk Action Manager 1.01 or later – The patched version corrects the token broadcast flaw, ensuring that API tokens are no longer exposed over unauthenticated WebSockets. Rockwell’s security advisory page provides download links and release notes.
-
Restrict local access – Limit physical and interactive access to engineering workstations running Action Manager. Enforce strict user account controls and remove unnecessary interactive privileges.
-
Network segmentation – Isolate control system networks behind industrial firewalls. Block all non-essential local and inbound traffic to the WebSocket port used by Action Manager. Only allow management connections from hardened jump hosts.
-
Rotate tokens and credentials – After patching, revoke any previously used API tokens and regenerate new ones. Ensure automated processes fail securely if a token is suddenly invalid.
-
Enhance endpoint hardening – Deploy application whitelisting and host-based intrusion detection on machines running FactoryTalk components. Monitor for unexpected processes that open WebSocket client connections.
CISA also emphasizes standard ICS defensive measures: minimizing network exposure, using VPNs (with caution), performing impact analysis before deploying defensive measures, and maintaining an incident response plan.
Detection and Monitoring: Catching Token Theft
Defenders can look for several indicators of token capture and misuse:
-
Host-level telemetry: Monitor process creation on Action Manager hosts. Flag any non-standard program that initiates a WebSocket handshake. Audit access to configuration files where tokens may be stored.
-
Network traffic analysis: Inspect internal network flows for WebSocket traffic to the Action Manager runtime port. Filter for unexpected source IP addresses and one-to-many broadcast patterns.
-
API log auditing: Enable centralized logging for Action Manager APIs. Alert on privileged API calls from unfamiliar endpoints, calls during odd hours, or rapid sequences following a new WebSocket connection.
-
Token reuse detection: Use security information and event management (SIEM) systems to spot identical tokens being used by different clients or hosts—a hallmark of token theft.
Because the exact port numbers and protocol specifics are vendor-defined, organizations should consult Rockwell’s documentation to fine-tune detection rules. Behavior-based anomaly detection is preferred over brittle string-matching since token formats may change with updates.
Hardening Beyond the Patch
Long-term security requires architectural changes:
-
Implement short-lived, scoped tokens. If the product does not natively support token rotation with minimal lifetimes, engage Rockwell’s support channels to request this feature and apply compensating token rotation policies in the meantime.
-
Enforce least privilege across APIs. Ensure that any token—whether for automation scripts or operator actions—carries only the permissions absolutely necessary.
-
Use dedicated management jump hosts. All administrative actions to FactoryTalk components should originate from hardened, monitored hosts with multi-factor authentication (MFA).
-
Conduct regular ICS security drills. Build token exposure scenarios into tabletop exercises and purple team engagements. Practice isolating a host, collecting forensic evidence, and rotating credentials without interrupting physical processes.
Incident Response: What to Do If You Suspect Compromise
If indicators suggest that an API token has been captured or misused:
-
Contain – Isolate the suspect host from the control network while preserving volatile artifacts: memory, running process list, open sockets, and application logs. Coordinate with operational teams to avoid unsafe shutdowns.
-
Eradicate – Revoke all tokens associated with the host. Apply the security update if not already done. Reset credentials and rotate secrets.
-
Analyze – Determine if the stolen token was used to alter process parameters or exfiltrate data. Check API logs for anomalous commands and correlate with operational events.
-
Recover – Restore normal operations after confirming that no backdoors or persistent mechanisms remain.
-
Report – Notify plant operations, IT security, and Rockwell Automation. Report confirmed incidents to CISA for correlation and threat intelligence sharing.
Key Takeaways
CVE-2025-9036 is a reminder that even local vulnerabilities in industrial management software can carry serious consequences. The combination of unauthenticated WebSocket broadcasting and reusable token design created a low-effort, high-impact attack path—now closed by Rockwell’s version 1.01 update.
For Windows-centric OT environments that rely on FactoryTalk, the path forward is clear: inventory all Action Manager instances, apply the patch without delay, and reinforce local host security to close the window that this bug once opened. Continuous monitoring, aggressive token rotation, and architectural improvements will further shrink the attack surface, ensuring that factory floors and power plants remain resilient against the next disclosure.