CVE-2025-9036 is a high-severity vulnerability affecting Rockwell Automation's FactoryTalk® Action Manager, specifically version 1.0.0 or below. The flaw lies in the runtime event system where unauthenticated clients can connect and receive a reusable API token. This token is transmitted over a WebSocket connection without adequate protection, allowing any local client listening on the network to intercept it. The vulnerability corresponds to CWE-200, which involves the exposure of sensitive information to unauthorized actors. Because the token is reusable and broadcasted, an attacker with local network access can capture it and potentially use it to gain unauthorized access to the FactoryTalk® Action Manager system or its APIs. The CVSS 4.0 score of 8.5 reflects a high severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no authentication required (AT:N), but user interaction is required (UI:P). The impact on confidentiality, integrity, and availability is high, as the token compromise could lead to unauthorized actions within the industrial control environment managed by FactoryTalk® Action Manager. No patches are currently listed, and no known exploits are reported in the wild as of the publication date (August 14, 2025). This vulnerability is critical in industrial control systems (ICS) environments where FactoryTalk® Action Manager is deployed, as it could allow attackers to manipulate or disrupt manufacturing processes or gain further footholds in operational technology (OT) networks.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors relying on Rockwell Automation's FactoryTalk® Action Manager, this vulnerability poses a significant risk. Exposure of reusable API tokens can lead to unauthorized access to control systems, potentially resulting in operational disruptions, safety hazards, and data breaches. Given the increasing integration of IT and OT networks in European industrial environments, an attacker exploiting this vulnerability could pivot from local network access to broader network compromise. The confidentiality breach may expose sensitive operational data, while integrity and availability impacts could disrupt production lines or critical services. The requirement for local network access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments with insufficient network segmentation or insider threats. The lack of available patches increases the urgency for mitigation. The vulnerability could also affect compliance with European regulations such as NIS2 and GDPR if sensitive data exposure occurs or operational disruptions impact service continuity.

European organizations should implement the following specific mitigations: 1) Immediately restrict network access to FactoryTalk® Action Manager systems by enforcing strict network segmentation and isolating OT networks from general IT and internet-facing networks. 2) Monitor WebSocket traffic locally and on internal networks for unusual token broadcasts or unauthorized connections. 3) Employ endpoint security solutions to detect and prevent unauthorized local clients from listening on network connections. 4) Enforce multi-factor authentication and strong access controls on FactoryTalk® Action Manager interfaces to reduce the impact of token compromise. 5) Conduct internal audits to identify all instances of FactoryTalk® Action Manager version 1.0.0 or below and plan for rapid upgrade once patches become available. 6) Educate users about the risks of interacting with untrusted local applications that could capture tokens. 7) Implement network intrusion detection systems (NIDS) tuned to detect anomalies in WebSocket communications. 8) Collaborate with Rockwell Automation support channels to obtain updates on patch releases and apply them promptly. These measures go beyond generic advice by focusing on network architecture, monitoring, and user awareness tailored to the specific token exposure mechanism.