Nine high‑severity vulnerabilities in Cognex’s decades‑old In‑Sight camera platform can let an attacker steal credentials, tamper with production settings, or knock devices offline — and for the Windows administrators who maintain the engineering workstations that control these cameras, the warning is personal. One of the flaws sits squarely on the Windows host itself, turning a local low‑privilege user into a potential factory‑floor saboteur.
The U.S. Cybersecurity and Infrastructure Security Agency dropped advisory ICSA‑25‑261‑06 in September 2025, flagging eight CVE entries that span hard‑coded passwords, cleartext credential transmission, replay‑able authentication, and broken access controls on the cameras’ management interfaces. But tucked into the list is a vulnerability that should make every Windows admin sit up straight: the In‑Sight Explorer configuration tool creates a data folder with permissions so weak that any user logged into the machine can modify its contents.
The Windows Achilles’ Heel
CVE‑2025‑53947 hits close to home. When you install In‑Sight Explorer — the Windows application used to program and manage In‑Sight 2000, 7000, 8000, and 9000 series cameras — the installer sets up a data folder with overly generous access control lists. CISA’s description is blunt: “any user logged into the Windows system can modify its content.” A low‑privilege local attacker on that engineering workstation can corrupt configuration files, swap out inspection jobs, or plant malicious data that the tool then pushes to cameras.
In a typical manufacturing environment, that workstation is the bridge between the IT network and the operational technology (OT) network. An admin who compromises a Windows machine via phishing or a stolen session suddenly has a path to the production line. The folder permissions turn a contained incident into a multi‑zone escalation.
Beyond the local Windows risk, the advisory unloads a series of network‑level vulnerabilities that are exploitable from nearby network segments — the kind of access an attacker might gain by hopping from a compromised corporate laptop to the engineering VLAN.
Credentials Flying in the Clear
At least two protocols on the cameras handle authentication in plaintext. The proprietary management protocol on TCP port 1069 transmits usernames and passwords unencrypted (CVE‑2025‑54818). The camera’s firmware‑upgrade process does the same (CVE‑2025‑47698). Any adjacent network listener can capture those credentials and use them to log into the camera, change network settings, or update firmware with a malicious build.
Even where the password is encrypted, the scheme is broken. Multiple protocols share an authentication mechanism that reuses the same encryption key across sessions (CVE‑2025‑54810). An attacker watching the wire can record the encrypted password blob and replay it to authenticate — no decryption needed.
And if that weren’t enough, a hard‑coded password baked into the publicly available software (CVE‑2025‑54754) can be extracted without any authentication at all. Once retrieved, that password can decrypt sensitive network traffic.
Management Interfaces That Trust the Client
The cameras expose a telnet service on port 23 for firmware upgrades and reboots. Two mis‑authorization bugs (CVE‑2025‑52873 and CVE‑2025‑54497) let a user with supposedly “protected” privileges invoke SetSystemConfig and SetSerialPort functions — operations the manual says should be off‑limits. Changing network settings or serial parameters remotely can break connectivity, bypass network segmentation, or open the device to further attacks.
A separate weakness (CVE‑2025‑53969) is especially troubling: the service on TCP 1069 relies on client‑side enforcement of security. A compromised or modified In‑Sight Explorer client can perform administrative operations that the device should be policing itself. If an attacker replaces the legitimate Explorer tool with a rogue client, the camera won’t refuse the orders.
For completeness, CISA also warns that the telnet service mishandles repeated failed login attempts to the point of a denial‑of‑service (CVE‑2025‑54860). An attacker can lock out administrators entirely by hammering the authentication service until it becomes unreachable.
How We Got Here
Cognex In‑Sight cameras are a staple on factory floors worldwide. The 2000/7000/8000/9000 series have been deployed for over a decade, and many plants still run firmware branches 5.x through 6.5.1 because replacing or upgrading cameras mid‑production is a logistical headache. The corresponding Windows software, In‑Sight Explorer, followed the same version track.
Cognex has since moved on to the In‑Sight Vision Suite, which powers newer camera lines like the 2800, 3800, and 8900 series. That modern platform includes secure WebHMI, role‑based permissions, and audit logging. But countless legacy cameras remain in service, and the flawed Explorer tool is still widely installed on engineering workstations that are often connected to both IT and OT networks.
The vulnerabilities were reported by Diego Giubertoni of Nozomi Networks, a firm that specializes in industrial control system security. Their research underscores a pattern: devices that were built for reliability and speed on the plant floor rarely receive the same security scrutiny as enterprise IT products, leaving them with decades‑old authentication flaws that are trivial to exploit once an attacker reaches the network segment.
What to Do Right Now (Before the Next Shift)
CISA and Cognex both recommend migrating to In‑Sight Vision Suite‑based cameras as the long‑term answer. But production lines can’t be ripped out overnight. While you plan that migration, these immediate steps can shrink your exposure significantly.
1. Inventory Everything
You can’t protect what you can’t see. Identify every In‑Sight camera on the network, noting its model and firmware version. Also scan for every Windows machine with In‑Sight Explorer installed. Build numbers matter — the advisory covers 5.x through 6.5.1, but confirm exactly which releases are in play.
2. Segment the Cameras
Move all vulnerable cameras to an isolated VLAN or a physically separate network. That VLAN should have no direct internet access and should be reachable only from a dedicated set of engineering workstations. If a camera must talk to a broader business network, do it through a gateway that proxies only the required industrial protocols, never the management ports.
3. Block Management Ports Everywhere
At your firewall boundaries, drop traffic to telnet port 23 and the proprietary TCP port 1069 unless the traffic originates from a tightly controlled, monitored bastion host. Even inside the OT segment, apply these blocks between subnets. The cameras don’t need these ports open to perform inspection; they’re only for management.
4. Harden the Windows Engineering Hosts (Today)
The local folder permission vulnerability is instant low‑hanging fruit for remediation:
- Browse to the In‑Sight Explorer data folder (often under C:\ProgramData\Cognex or a similar path; verify via the installer).
- Review the folder’s security tab and remove the “Everyone” or “Users” full‑control entries that the installer likely added. Set permissions so only the dedicated engineering accounts and SYSTEM can modify contents.
- Remove all unnecessary local users from that workstation. If an operator’s account has no reason to log into the engineering PC, delete it.
- Enable audit logging on that folder so you’ll see who touches it and when.
5. Lock Down Remote Access
If you must manage cameras remotely, do so only through a VPN with multi‑factor authentication, and route the connection through a jump host that is itself hardened and monitored. CISA warns that VPNs are only as secure as the endpoints connecting to them — so don’t let a compromised engineering laptop sit on the same VPN as your cameras.
6. Start Watching the Wire
Deploy intrusion detection signatures for cleartext credential patterns on the OT management VLAN. Look for repeated telnet authentication failures followed by a service outage — that’s the DoS bug being triggered. Packet captures of TCP 1069 traffic can reveal whether credentials have already been exposed.
The Long‑Term Fix: Migration with a Plan
Cognex’s next‑generation In‑Sight Vision Suite brings security features that directly address several of these issues: encrypted web management, role separation, and audit capabilities. The path forward is to replace legacy cameras with Vision Suite‑compatible hardware as maintenance windows allow.
That’s easier said than done. Vision System migrations require calibration, job conversion, and regression testing. Before you swap a single camera, work with your integrator and Cognex support to build a staged rollout that minimizes downtime. Test image inspection accuracy on the new firmware with offline sample parts before cutting over a live line. Keep rollback firmware files readily available.
At the same time, fold this into your broader vulnerability management program:
- Tie every camera to a record in your CMDB that includes its firmware version and end‑of‑support date.
- Set up automated alerts when CISA publishes new advisories referencing your vendors.
- Establish a shared runbook between IT and OT teams for incident response that specifically covers camera‑system compromise: how to capture forensic images, disconnect devices, and engage the vendor.
The Bigger Picture for Windows Shops
This advisory is a case study in why patching Windows isn’t enough. The weakest link in your OT security chain may be the engineering workstation that runs a legacy configuration tool with broken permissions. The CISA notice bluntly states that “migration to more modern In‑Sight Vision Suite devices” is the vendor’s recommendation, but it also acknowledges that defensive measures are required while those devices remain in place.
For Windows administrators, the lesson is clear: treat the industrial software on your managed PCs with the same scrutiny you apply to operating system patches. Folder ACLs are not a niche concern; they are a direct vector into critical infrastructure.
The vision‑system vulnerabilities collectively paint a picture of a platform that was built before modern authentication standards and then fielded for years. As manufacturing becomes more connected, that legacy becomes an active risk. The good news is that all the immediate mitigations are within reach — and they start with locking down that Windows folder today.
There are no reports yet of these specific vulnerabilities being exploited in the wild, according to CISA. But the window between a public advisory and the first in‑the‑wild attack is shrinking across industrial sectors. The time to isolate, harden, and plan is now.