Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API with no auth (AV:N/PR:N/UI:N); AC:H reflects required endpoint discovery; high confidentiality but limited integrity/availability since admin actions are scoped to the application.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.
AnalysisAI
Authorization bypass in Rockwell Automation FactoryTalk Analytics PavilionX allows unauthenticated remote attackers to invoke privileged API endpoints, including user and role management functions, enabling full administrative takeover of the analytics platform. The CVSS 4.0 base score of 8.3 reflects high confidentiality impact with limited integrity and availability effects, and at the time of analysis there is no public exploit identified.
Technical ContextAI
FactoryTalk Analytics PavilionX is Rockwell Automation's cloud-hosted industrial analytics and model-predictive-control offering used to optimize continuous process manufacturing (chemicals, refining, food and beverage). The flaw is a CWE-862 Missing Authorization weakness: privileged REST API endpoints fail to verify that the caller holds the role required to invoke them, so authorization is enforced only at the UI layer or not at all. Because PavilionX exposes administrative functions (user provisioning, role assignment, configuration) over HTTP APIs accessible to authenticated tenants - and per the CVSS vector, network-reachable without authentication - direct API calls bypass the intended role-based access control model.
RemediationAI
Patch available per vendor advisory - consult Rockwell Automation Security Advisory SD1777 at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1777.html for the exact remediated build and any required cloud tenant updates, as PavilionX is a hosted offering and the fix may be delivered server-side by Rockwell. Customers should confirm with Rockwell support that their tenant is running the patched release and audit user/role assignment logs and administrative API access for the window prior to remediation, since the bug enables silent privilege escalation. As compensating controls until confirmation, restrict outbound access to the PavilionX tenant URLs to known operator workstations via egress firewall or zero-trust proxy, enable any available MFA and IP allow-listing on the tenant (trade-off: may break remote-engineer access), and rotate any service-account credentials that could have been provisioned by an attacker abusing the user-management endpoints.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210169
GHSA-cw2v-q9hw-55mq