Multiple Vulnerabilities in Studio 5000 Simulation Interface Allow Local Code Execution and SSRF
Two high-severity vulnerabilities have been identified in the Studio 5000® Simulation Interface by Rockwell Automation. The first, tracked as CVE-2025-11697, is a local code execution flaw that allows any Windows user on the affected system to exploit the API using path traversal sequences. This can result in the extraction of files and execution of scripts with Administrator privileges upon system reboot. The second vulnerability, CVE-2025-11696, is a local server-side request forgery (SSRF) issue that enables any Windows user to trigger outbound SMB requests, potentially exposing NTLM hashes to an attacker.
Both vulnerabilities were discovered internally by Rockwell Automation during routine security testing and have been disclosed as part of the company’s commitment to transparency. There is currently no evidence of exploitation in the wild, and Rockwell Automation has issued a security advisory (SD1760) confirming that fixes are available. No specific product versions have been listed as affected, but users of Studio 5000® Simulation Interface are advised to review the advisory and apply the recommended updates to mitigate risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA issues ICS advisory for Rockwell Automation Studio 5000 Simulation Interface
CISA published ICS advisory ICSA-25-317-06 covering the Rockwell Automation Studio 5000 Simulation Interface vulnerabilities. The advisory amplified the vendor disclosure to the industrial control systems community.
CVE records published for SSRF and local code execution vulnerabilities
Public CVE entries were published for CVE-2025-11696, a server-side request forgery issue, and CVE-2025-11697, a local code execution vulnerability in Studio 5000 Simulation Interface. These records formalized the individual vulnerabilities in public tracking systems.
Rockwell Automation discloses multiple Studio 5000 Simulation Interface flaws
Rockwell Automation published security advisory SD1760 for Studio 5000 Simulation Interface, disclosing multiple vulnerabilities affecting the product. The advisory marks the vendor's public disclosure of the issue set, including flaws later tracked as CVE-2025-11696 and CVE-2025-11697.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Rockwell Automation Studio 5000 Simulation Interface
cisa.gov
Open sourceCVE-2025-11697 - Studio 5000 ® Simulation Interface Local Code Execution
cvefeed.io
Open sourceCVE-2025-11696 - Studio 5000 ® Simulation Interface SSRF
cvefeed.io
Open sourceStudio 5000 ® Simulation Interface - Multiple Vulnerabilities
rockwellautomation.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Vulnerabilities in Rockwell Automation FactoryTalk Products
Rockwell Automation has disclosed several high-severity vulnerabilities affecting its FactoryTalk product line, including FactoryTalk View Machine Edition, PanelView Plus 7, and FactoryTalk ViewPoint. One of the vulnerabilities, tracked as CVE-2025-9064, is a path traversal issue in FactoryTalk View Machine Edition that allows unauthenticated attackers on the same network to delete arbitrary files from the device’s operating system, provided they know the filenames. This vulnerability is remotely exploitable and could lead to significant disruption or loss of critical files on affected devices. The company’s advisory SD1753 confirms that both FactoryTalk View Machine Edition and PanelView Plus 7 are impacted by this flaw, and that mitigations and workarounds are available. Another critical vulnerability, CVE-2025-9066, affects FactoryTalk ViewPoint and enables unauthenticated attackers to exploit XML External Entity (XXE) processing via certain SOAP requests. Successful exploitation of this flaw can result in a temporary denial-of-service condition, potentially disrupting industrial operations. Rockwell Automation’s advisory SD1752 details the XXE vulnerability, noting that it was discovered internally during routine security testing and that no known exploitation in the wild has been reported. Both vulnerabilities have been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk to industrial environments where these products are deployed. The advisories state that patches and workarounds are available, and customers are urged to apply them promptly to mitigate risk. The company emphasizes that the vulnerabilities are not currently known to be exploited in the wild, but the potential impact on industrial control systems is significant due to the products’ widespread use. The advisories also highlight Rockwell Automation’s commitment to transparency and proactive security practices, as these issues were identified through internal testing rather than external reports. Customers are encouraged to review the official advisories and implement recommended mitigations, including network segmentation and limiting access to trusted users. The affected products are commonly used in industrial automation environments, making timely remediation critical to prevent potential operational disruptions. The advisories provide detailed technical information and guidance for system administrators to assess and address the vulnerabilities. Rockwell Automation has made available downloadable advisories in Vulnerability Exploitability Exchange format for integration with vulnerability management tools. The company’s response includes both immediate patches and suggested workarounds for environments where patching may not be immediately feasible. Organizations using FactoryTalk View Machine Edition, PanelView Plus 7, or FactoryTalk ViewPoint should prioritize reviewing their exposure and applying the recommended security measures.
Mar 21, 2026
Path Traversal Vulnerability in Rockwell Automation AADvance-Trusted SIS Workstation
A critical path traversal vulnerability (CVE-2024-48510) has been identified in Rockwell Automation's AADvance-Trusted SIS Workstation, specifically affecting versions 2.00.00 to 2.00.04. The flaw, rooted in the DotNetZip library (v1.16.0 and earlier), could allow a remote attacker to execute arbitrary code if a victim opens a malicious file, potentially compromising safety instrumented system (SIS) applications used in critical manufacturing sectors. The vulnerability is rated high severity, with a CVSS v4 score of 8.6, and exploitation requires user interaction but is considered low complexity and remotely exploitable. Rockwell Automation discovered the issue during internal testing and reported it to CISA, emphasizing their commitment to transparency and product security. The company has released a security advisory confirming the vulnerability, noting that it has been corrected and that no known exploitation has occurred in the wild. Organizations using affected SIS Workstation versions are urged to apply available mitigations to prevent potential remote code execution attacks targeting critical infrastructure environments worldwide.
Mar 21, 2026
Rockwell Automation ICS Products Hit by Authentication, Authorization, DoS, and RCE Flaws
CISA republished multiple Rockwell Automation advisories covering vulnerabilities across **FactoryTalk Analytics PavilionX**, **RSLinx Classic**, **CompactLogix 5370**, **Logix 5370/5570 controllers**, and **FLEX I/O EtherNet/IP Adapters** used in critical manufacturing environments worldwide. The issues include an authorization bypass in PavilionX (`CVE-2025-14272`) that could let an unauthenticated attacker perform privileged administrative actions, and a third-party flaw in RSLinx Classic (`CVE-2020-13573`) tied to out-of-bounds read and stack-based buffer overflow conditions that could cause denial of service or enable remote arbitrary code execution. Additional advisories detail multiple **CIP-related denial-of-service weaknesses** in CompactLogix and Logix controllers, including `CVE-2026-11317`, where crafted CIP messages can trigger major nonrecoverable faults requiring a program download, as well as sequence-number, source-IP, and connection-ID issues that can induce controller faults. CISA also warned that FLEX I/O EtherNet/IP Adapters version `2.012` are affected by `CVE-2026-0646`, which can fault devices through malformed CIP requests, and `CVE-2026-0647`, a critical authentication bypass in the embedded web server that allows password changes through a crafted HTTP GET request, potentially leading to account takeover and loss of availability; CISA said no known public exploitation had been reported and urged operators to isolate control networks, reduce internet exposure, and secure remote access with firewalls and updated VPNs.
Jun 19, 2026