Multiple Vulnerabilities in Studio 5000 Simulation Interface Allow Local Code Execution and SSRF
Two high-severity vulnerabilities have been identified in the Studio 5000® Simulation Interface by Rockwell Automation. The first, tracked as CVE-2025-11697, is a local code execution flaw that allows any Windows user on the affected system to exploit the API using path traversal sequences. This can result in the extraction of files and execution of scripts with Administrator privileges upon system reboot. The second vulnerability, CVE-2025-11696, is a local server-side request forgery (SSRF) issue that enables any Windows user to trigger outbound SMB requests, potentially exposing NTLM hashes to an attacker.
Both vulnerabilities were discovered internally by Rockwell Automation during routine security testing and have been disclosed as part of the company’s commitment to transparency. There is currently no evidence of exploitation in the wild, and Rockwell Automation has issued a security advisory (SD1760) confirming that fixes are available. No specific product versions have been listed as affected, but users of Studio 5000® Simulation Interface are advised to review the advisory and apply the recommended updates to mitigate risk.
Sources
Related Stories
Multiple High-Severity Vulnerabilities in Rockwell Automation FactoryTalk Products
Rockwell Automation has disclosed several high-severity vulnerabilities affecting its FactoryTalk product line, including FactoryTalk View Machine Edition, PanelView Plus 7, and FactoryTalk ViewPoint. One of the vulnerabilities, tracked as CVE-2025-9064, is a path traversal issue in FactoryTalk View Machine Edition that allows unauthenticated attackers on the same network to delete arbitrary files from the device’s operating system, provided they know the filenames. This vulnerability is remotely exploitable and could lead to significant disruption or loss of critical files on affected devices. The company’s advisory SD1753 confirms that both FactoryTalk View Machine Edition and PanelView Plus 7 are impacted by this flaw, and that mitigations and workarounds are available. Another critical vulnerability, CVE-2025-9066, affects FactoryTalk ViewPoint and enables unauthenticated attackers to exploit XML External Entity (XXE) processing via certain SOAP requests. Successful exploitation of this flaw can result in a temporary denial-of-service condition, potentially disrupting industrial operations. Rockwell Automation’s advisory SD1752 details the XXE vulnerability, noting that it was discovered internally during routine security testing and that no known exploitation in the wild has been reported. Both vulnerabilities have been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk to industrial environments where these products are deployed. The advisories state that patches and workarounds are available, and customers are urged to apply them promptly to mitigate risk. The company emphasizes that the vulnerabilities are not currently known to be exploited in the wild, but the potential impact on industrial control systems is significant due to the products’ widespread use. The advisories also highlight Rockwell Automation’s commitment to transparency and proactive security practices, as these issues were identified through internal testing rather than external reports. Customers are encouraged to review the official advisories and implement recommended mitigations, including network segmentation and limiting access to trusted users. The affected products are commonly used in industrial automation environments, making timely remediation critical to prevent potential operational disruptions. The advisories provide detailed technical information and guidance for system administrators to assess and address the vulnerabilities. Rockwell Automation has made available downloadable advisories in Vulnerability Exploitability Exchange format for integration with vulnerability management tools. The company’s response includes both immediate patches and suggested workarounds for environments where patching may not be immediately feasible. Organizations using FactoryTalk View Machine Edition, PanelView Plus 7, or FactoryTalk ViewPoint should prioritize reviewing their exposure and applying the recommended security measures.
5 months agoPath Traversal Vulnerability in Rockwell Automation AADvance-Trusted SIS Workstation
A critical path traversal vulnerability (CVE-2024-48510) has been identified in Rockwell Automation's AADvance-Trusted SIS Workstation, specifically affecting versions 2.00.00 to 2.00.04. The flaw, rooted in the DotNetZip library (v1.16.0 and earlier), could allow a remote attacker to execute arbitrary code if a victim opens a malicious file, potentially compromising safety instrumented system (SIS) applications used in critical manufacturing sectors. The vulnerability is rated high severity, with a CVSS v4 score of 8.6, and exploitation requires user interaction but is considered low complexity and remotely exploitable. Rockwell Automation discovered the issue during internal testing and reported it to CISA, emphasizing their commitment to transparency and product security. The company has released a security advisory confirming the vulnerability, noting that it has been corrected and that no known exploitation has occurred in the wild. Organizations using affected SIS Workstation versions are urged to apply available mitigations to prevent potential remote code execution attacks targeting critical infrastructure environments worldwide.
4 months agoDenial-of-Service Vulnerability in Rockwell Automation ArmorStart AOP
A high-severity security vulnerability, identified as CVE-2025-9437, was discovered in the Studio 5000 Logix Designer add-on profile (AOP) for the Rockwell Automation ArmorStart Classic distributed motor controller. The flaw allows an attacker to cause a denial-of-service (DoS) condition by inputting invalid values into Component Object Model (COM) methods within the affected software. This vulnerability was found internally by Rockwell Automation during routine security testing, demonstrating the company's proactive approach to product security. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the DoS condition. According to the available information, there is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV). Rockwell Automation has issued a security advisory (SD1751) to inform customers of the issue and has provided both a correction and a workaround to mitigate the risk. The company emphasizes its commitment to transparency by publicly disclosing the vulnerability and offering guidance to affected users. The CVSS 4.0 base score for this vulnerability is 8.7, categorizing it as high severity and indicating a significant potential impact on industrial automation environments. Although the specific affected product versions are not detailed in the public advisories, the vulnerability is confirmed to impact the ArmorStart Classic AOP component. Customers are advised to review the official Rockwell Automation advisory for detailed mitigation steps and to apply the recommended updates or workarounds as soon as possible. The vulnerability could disrupt industrial operations by rendering the affected motor controller profile unresponsive, potentially impacting production processes. Rockwell Automation's Product Security Incident Response Team (PSIRT) is the source of the vulnerability disclosure, ensuring that the information is accurate and actionable. The advisory was published and last updated on October 14, 2025, reflecting the most current information available at the time. Organizations using the affected products should assess their exposure and implement the provided security measures to reduce the risk of exploitation. The disclosure underscores the importance of regular security testing and prompt patch management in industrial control system environments. By addressing the vulnerability before it could be exploited, Rockwell Automation demonstrates best practices in vulnerability management and customer communication.
5 months ago