Skip to main content

FactoryTalk Analytics PavilionX CVE-2025-14272

| EUVDEUVD-2025-210169 HIGH
Missing Authorization (CWE-862)
2026-06-16 Rockwell GHSA-cw2v-q9hw-55mq
8.3
CVSS 4.0 · Vendor: Rockwell
Share

Severity by source

Vendor (Rockwell) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

Network-reachable API with no auth (AV:N/PR:N/UI:N); AC:H reflects required endpoint discovery; high confidentiality but limited integrity/availability since admin actions are scoped to the application.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Rockwell).

CVSS VectorVendor: Rockwell

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 15:25 vuln.today

DescriptionCVE.org

A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.

AnalysisAI

Authorization bypass in Rockwell Automation FactoryTalk Analytics PavilionX allows unauthenticated remote attackers to invoke privileged API endpoints, including user and role management functions, enabling full administrative takeover of the analytics platform. The CVSS 4.0 base score of 8.3 reflects high confidentiality impact with limited integrity and availability effects, and at the time of analysis there is no public exploit identified.

Technical ContextAI

FactoryTalk Analytics PavilionX is Rockwell Automation's cloud-hosted industrial analytics and model-predictive-control offering used to optimize continuous process manufacturing (chemicals, refining, food and beverage). The flaw is a CWE-862 Missing Authorization weakness: privileged REST API endpoints fail to verify that the caller holds the role required to invoke them, so authorization is enforced only at the UI layer or not at all. Because PavilionX exposes administrative functions (user provisioning, role assignment, configuration) over HTTP APIs accessible to authenticated tenants - and per the CVSS vector, network-reachable without authentication - direct API calls bypass the intended role-based access control model.

RemediationAI

Patch available per vendor advisory - consult Rockwell Automation Security Advisory SD1777 at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1777.html for the exact remediated build and any required cloud tenant updates, as PavilionX is a hosted offering and the fix may be delivered server-side by Rockwell. Customers should confirm with Rockwell support that their tenant is running the patched release and audit user/role assignment logs and administrative API access for the window prior to remediation, since the bug enables silent privilege escalation. As compensating controls until confirmation, restrict outbound access to the PavilionX tenant URLs to known operator workstations via egress firewall or zero-trust proxy, enable any available MFA and IP allow-listing on the tenant (trade-off: may break remote-engineer access), and rotate any service-account credentials that could have been provisioned by an attacker abusing the user-management endpoints.

Share

CVE-2025-14272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy