CVE-2025-14272
Awaiting Analysis Awaiting Analysis - Queue

Improper Authorization in Pavilion Allows Privileged Actions

Vulnerability report for CVE-2025-14272, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Rockwell Automation

Description

A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rockwell_automation factorytalk_analytics_pavilionx to 7.01 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-14272 is a high-severity security vulnerability in Rockwell Automation's FactoryTalk Analytics PavilionX platform. It arises from improper authorization enforcement in the API endpoints, which means that unauthorized users can bypass security controls.

This flaw allows unauthorized actors to perform privileged operations, including managing users and roles as well as other administrative actions that should normally be restricted.

Impact Analysis

The vulnerability can lead to unauthorized access to administrative functions within the PavilionX platform. This could allow attackers to change user roles, add or remove users, and perform other privileged operations without permission.

Such unauthorized actions could compromise the security and integrity of the industrial analytics environment, potentially disrupting operations or exposing sensitive data.

Detection Guidance

There are no specific detection commands or methods provided in the available information for identifying this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rockwell Automation's FactoryTalk Analytics PavilionX from version 7.00 to the corrected version 7.01.

This update addresses the improper authorization enforcement in API endpoints that allows unauthorized privileged operations.

Additionally, monitor for any unusual administrative activity and restrict access to the affected API endpoints until the update is applied.

Compliance Impact

The vulnerability involves improper authorization enforcement in API endpoints, allowing unauthorized actors to perform privileged operations such as user and role management. This type of security issue can potentially lead to unauthorized access to sensitive data or administrative functions.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized privileged access could result in violations of these regulations due to potential exposure or manipulation of personal or sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14272. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart