PatchSiren cyber security CVE debrief
CVE-2018-1285 Rockwell Automation CVE debrief
CVE-2018-1285 is a critical XXE issue mapped by CISA to Rockwell Automation FactoryTalk Historian ThingWorx product 95057C-FTHTWXCT11. The advisory states that Apache log4net versions before 2.0.10 do not disable XML external entities when parsing configuration files, which can expose applications that accept attacker-controlled log4net configuration files to high-impact data exposure and manipulation risks.
- Vendor
- Rockwell Automation
- Product
- 95057C-FTHTWXCT11
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-22
- Original CVE updated
- 2025-05-22
- Advisory published
- 2025-05-22
- Advisory updated
- 2025-05-22
Who should care
Industrial control system operators, Rockwell Automation customers using 95057C-FTHTWXCT11, OT/ICS defenders, and teams that import or process log4net configuration files from untrusted sources.
Technical summary
The CSAF advisory identifies Rockwell Automation 95057C-FTHTWXCT11 as affected at versions <=v4.02.00 and points to a vendor update with versions v5.00.00 and later. The underlying weakness is XML external entity handling in Apache log4net versions before 2.0.10: if an application accepts attacker-controlled configuration files, XXE can be used to access sensitive data and potentially affect integrity or availability. The CVSS v3.1 vector supplied with the advisory is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, matching the reported critical severity.
Defensive priority
High / urgent for any environment that runs the affected product version or accepts untrusted log4net configuration files. Prioritize upgrade planning and exposure review because the advisory rates the issue critical and the documented impact is broad.
Recommended defensive actions
- Upgrade Rockwell Automation 95057C-FTHTWXCT11 to v5.00.00 or later, as identified in the advisory.
- Review any workflows that ingest, import, or transform log4net configuration files and block attacker-controlled or untrusted inputs.
- Apply Rockwell Automation's published security best practices for industrial automation control systems to reduce exposure.
- Validate whether the affected product is present in engineering stations, HMIs, historian systems, or adjacent OT management hosts.
- Use the linked Rockwell Automation security advisory SD1728 and CISA ICS recommended practices for implementation guidance.
Evidence notes
The source CSAF item ICSA-25-142-02 states the affected product is Rockwell Automation 95057C-FTHTWXCT11 <=v4.02.00 and that Rockwell Automation released an update with v5.00.00 and later. The advisory description explicitly says Apache log4net versions before 2.0.10 do not disable XML external entities when parsing configuration files. The supplied enrichment marks this as not a KEV item and does not indicate known ransomware campaign use.
Official resources
-
CVE-2018-1285 CVE record
CVE.org
-
CVE-2018-1285 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-25-142-02 on 2025-05-22, and the supplied source item is the initial publication in the provided timeline. This debrief uses that publication context and does not treat it as the original vulnerability creation.