CVE-2025-9067 is a vulnerability classified under CWE-269 (Improper Privilege Management) affecting Rockwell Automation's FactoryTalk Linx software, specifically versions 6.40 and earlier. The flaw resides in the x86 Microsoft Installer (MSI) file used by FTLinx. Authenticated attackers with valid Windows credentials can initiate a repair operation on the MSI installation. During this repair process, the attacker can hijack the console window that appears, enabling them to spawn a command prompt with SYSTEM-level privileges. This escalation bypasses normal privilege boundaries, granting the attacker unrestricted access to the system, including all files, processes, and system resources. The vulnerability requires local access and valid user credentials but does not require additional user interaction or elevated privileges initially. The CVSS 4.0 base score is 8.5, reflecting high severity due to the ease of exploitation after authentication and the critical impact on confidentiality, integrity, and availability. No patches have been linked yet, and no known exploits have been reported in the wild, but the vulnerability represents a significant risk in industrial control systems environments where FactoryTalk Linx is deployed.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors that utilize Rockwell Automation's FactoryTalk Linx, this vulnerability could lead to full system compromise. Attackers gaining SYSTEM-level access can manipulate industrial control processes, disrupt operations, steal sensitive operational data, or cause physical damage by altering control commands. The impact extends to operational technology (OT) environments where FactoryTalk Linx acts as a communication interface between control devices and supervisory systems. Given the critical nature of industrial automation in European economies, exploitation could result in significant operational downtime, safety hazards, regulatory non-compliance, and financial losses. The requirement for valid Windows credentials limits remote exploitation but insider threats or compromised user accounts could be leveraged. The absence of known exploits currently provides a window for proactive mitigation before active attacks emerge.

European organizations should immediately audit and restrict access to systems running FactoryTalk Linx, ensuring only trusted users have Windows credentials capable of initiating MSI repairs. Implement strict user account management and monitor for unusual repair operations or console window hijacking attempts. Employ application whitelisting and endpoint detection to identify suspicious command prompt launches with SYSTEM privileges. Since no official patches are currently available, consider isolating FactoryTalk Linx systems from general IT networks and enforcing network segmentation to limit lateral movement. Regularly review and harden Windows Installer permissions and consider disabling MSI repair functionality if feasible. Engage with Rockwell Automation for updates and apply patches promptly once released. Additionally, conduct user training to recognize and report suspicious activities related to privilege escalation attempts.