CVE-2025-7973 is a high-severity privilege escalation vulnerability affecting Rockwell Automation's FactoryTalk® ViewPoint software, specifically versions 14.0 and below. The vulnerability arises from improper handling of MSI repair operations within the software. During a repair process, the Windows Installer service invokes cscript.exe, a console-based script host that runs with SYSTEM-level privileges. Due to insufficient safeguards, an attacker with limited privileges can hijack this cscript.exe console window. This hijacking allows the attacker to spawn an elevated command prompt running with SYSTEM privileges, effectively achieving full privilege escalation on the affected system. The underlying weakness is categorized under CWE-268 (Improper Privilege Management), indicating that the software fails to properly restrict or validate privilege transitions during MSI repair operations. The CVSS 4.0 base score of 8.5 reflects the vulnerability's high impact, with low attack complexity and no user interaction required. The attack vector is local (AV:L), meaning the attacker must have some level of local access or user privileges on the system to exploit the flaw. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a significant risk for environments where FactoryTalk ViewPoint is deployed, especially in industrial control system (ICS) contexts where Rockwell Automation products are prevalent. Given that FactoryTalk ViewPoint is used for monitoring and controlling industrial processes, successful exploitation could lead to unauthorized control over critical infrastructure components.

For European organizations, particularly those in manufacturing, energy, utilities, and critical infrastructure sectors, this vulnerability poses a substantial risk. FactoryTalk ViewPoint is widely used in industrial automation environments, and a successful privilege escalation could allow attackers to gain SYSTEM-level access on control systems. This could lead to unauthorized manipulation of industrial processes, disruption of operations, data exfiltration, or sabotage. The elevated privileges could also facilitate lateral movement within networks, increasing the risk of broader compromise. Given the critical nature of industrial control systems in Europe’s energy grids, manufacturing plants, and transportation infrastructure, exploitation could result in operational downtime, safety hazards, financial losses, and regulatory penalties under frameworks such as NIS2. The vulnerability’s local attack vector means that insider threats or attackers who have gained initial footholds through phishing or other means could leverage this flaw to escalate privileges and deepen their access.

To mitigate this vulnerability, European organizations using FactoryTalk ViewPoint should prioritize upgrading to a patched version once Rockwell Automation releases it. In the interim, organizations should implement strict access controls to limit local user privileges on systems running FactoryTalk ViewPoint, ensuring that only trusted administrators have the ability to initiate MSI repair operations. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor and block unauthorized execution or hijacking of cscript.exe processes. Network segmentation should be enforced to isolate industrial control systems from general IT networks, reducing the risk of lateral movement. Regularly audit and monitor logs for unusual MSI repair activity or unexpected command prompt launches with elevated privileges. Additionally, implement robust user account management policies, including the principle of least privilege, to minimize the number of users who can perform local operations that might trigger this vulnerability. Finally, conduct targeted security awareness training for personnel with access to these systems to recognize and report suspicious activities.