Skip to main content
CVE Vulnerability Database

CVE-2025-9364: FactoryTalk Analytics LogixAI Disclosure Flaw

CVE-2025-9364 is an information disclosure vulnerability in Rockwell Automation FactoryTalk Analytics LogixAI caused by an over-permissive Redis instance, allowing intranet attackers to access and alter data.

Published:

CVE-2025-9364 Overview

CVE-2025-9364 affects Rockwell Automation FactoryTalk Analytics LogixAI versions 3.00.00 and 3.01.00. The vulnerability stems from an over-permissive Redis instance bundled with the product. An attacker on an adjacent network can connect to the exposed Redis database without authentication. This access allows the attacker to read sensitive operational data and modify records stored in the database. The flaw is tracked under CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere. Rockwell Automation published advisory SD1748 covering the issue.

Critical Impact

An unauthenticated attacker on the adjacent network can read and alter sensitive data stored in the Redis instance used by FactoryTalk Analytics LogixAI.

Affected Products

  • Rockwell Automation FactoryTalk Analytics LogixAI 3.00.00
  • Rockwell Automation FactoryTalk Analytics LogixAI 3.01.00
  • Industrial OT environments running FactoryTalk Analytics LogixAI on intranet-accessible hosts

Discovery Timeline

  • 2025-09-09 - CVE-2025-9364 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9364

Vulnerability Analysis

FactoryTalk Analytics LogixAI ships with an embedded Redis instance used for internal data caching and inter-process communication. The Redis instance is deployed with permissive defaults that do not enforce authentication or restrict network binding. Any host on the same adjacent network segment can issue Redis commands directly to the database service.

Redis exposes a text-based command interface that supports reading, writing, and deleting arbitrary keys. Without authentication, an attacker can enumerate cached analytical results, modeling data, and operational telemetry processed by LogixAI. The attacker can also overwrite stored values, which may affect downstream analytic decisions and machine-learning model behavior.

The vulnerability is classified under CWE-497, exposure of sensitive system information. Industrial control system networks frequently treat intranet segments as trusted, which amplifies the impact of unauthenticated services bound to internal interfaces.

Root Cause

The root cause is an insecure default configuration of the bundled Redis instance. Redis does not require authentication by default and binds to network interfaces reachable from other intranet hosts. The product fails to apply requirepass, bind 127.0.0.1, or protected-mode yes hardening before deployment.

Attack Vector

Exploitation requires adjacent network access to a host running an affected version of FactoryTalk Analytics LogixAI. An attacker connects to the Redis TCP port directly using any Redis client or a raw TCP session. Once connected, the attacker issues commands such as KEYS *, GET, SET, and DEL to read or alter data without supplying credentials. No user interaction is required, and no privileges on the target host are needed.

The vulnerability mechanism is described in vendor advisory SD1748. No public proof-of-concept code has been released, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-9364

Indicators of Compromise

  • Unexpected inbound TCP connections to the Redis port (default 6379) on FactoryTalk Analytics LogixAI hosts originating from non-application sources.
  • Redis command patterns such as KEYS *, CONFIG GET, or bulk SET/DEL operations recorded in Redis logs.
  • Unexplained changes to cached analytic results or model parameters within the LogixAI application.

Detection Strategies

  • Inspect network flow telemetry for connections to TCP port 6379 on FactoryTalk Analytics LogixAI servers from workstations or hosts that are not part of the documented application architecture.
  • Enable Redis logging at the notice level and forward logs to a centralized analytics platform to detect command sequences indicative of enumeration or tampering.
  • Correlate Redis activity with authentication events from adjacent identity systems to identify lateral movement preceding database access.

Monitoring Recommendations

  • Continuously monitor OT and IT boundary traffic for unauthenticated database protocols crossing segmentation zones.
  • Track FactoryTalk Analytics LogixAI host process and socket activity to detect unauthorized Redis client binaries.
  • Alert on configuration drift in redis.conf files on affected hosts, including changes to bind, requirepass, and protected-mode directives.

How to Mitigate CVE-2025-9364

Immediate Actions Required

  • Apply the Rockwell Automation update referenced in advisory SD1748 as soon as it is available for your deployment.
  • Restrict network access to TCP port 6379 on FactoryTalk Analytics LogixAI hosts using host-based and network firewalls.
  • Place affected systems inside a segmented OT zone that blocks lateral traffic from general-purpose workstations.

Patch Information

Rockwell Automation has published security advisory SD1748 describing the vulnerability and remediation guidance. Customers should consult the advisory for the current patched version of FactoryTalk Analytics LogixAI and apply it to all instances running 3.00.00 or 3.01.00. Authentication to the Rockwell Automation customer portal may be required to retrieve full remediation details.

Workarounds

  • Bind the Redis service to the loopback interface by setting bind 127.0.0.1 in redis.conf where the product configuration permits.
  • Enable Redis authentication using a strong requirepass value and rotate the credential through your secrets management process.
  • Enforce protected-mode yes so Redis refuses external connections when no authentication is configured.
  • Apply firewall rules that allow Redis connections only from the LogixAI application process host.
bash
# Configuration example - harden Redis instance used by LogixAI
bind 127.0.0.1
protected-mode yes
requirepass <strong-randomly-generated-secret>
# Restrict firewall access to Redis port
iptables -A INPUT -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.