CVE-2025-0631 Rockwell Automation CVE debrief

Who should care

OT/ICS administrators, Rockwell Automation customers, plant network operators, and security teams responsible for industrial automation assets should prioritize this advisory, especially where PowerFlex 755 units are reachable on shared or monitored networks.

Technical summary

CISA’s advisory for CVE-2025-0631 says the affected PowerFlex 755 version (<=16.002.279) is vulnerable because it uses HTTP, causing credentials to be transmitted in clear text. The practical risk is passive network capture of sensitive authentication data by an attacker with visibility into the traffic path.

Defensive priority

High

Recommended defensive actions

• Upgrade Rockwell Automation PowerFlex 755 to the vendor-provided fixed release v20.3.407.
• Reduce exposure of the affected device to untrusted or broadly shared networks, since the issue involves clear-text credential transit.
• Follow Rockwell Automation and CISA industrial control system security best practices to minimize interception risk.
• Review any authentication or management traffic associated with PowerFlex 755 for assumptions that may have depended on transport confidentiality.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory source for ICSA-25-056-01 / CVE-2025-0631, which identifies Rockwell Automation as the vendor, PowerFlex 755 as the product, affected versions as <=16.002.279, and the issue as credential exposure caused by HTTP clear-text transmission. The same source lists Rockwell Automation’s fixed version v20.3.407 and points to CISA ICS guidance for mitigation context. Published and modified timestamps in the supplied corpus are both 2025-02-25T07:00:00.000Z.

Official resources