Path Traversal Vulnerability in Rockwell Automation AADvance-Trusted SIS Workstation
A critical path traversal vulnerability (CVE-2024-48510) has been identified in Rockwell Automation's AADvance-Trusted SIS Workstation, specifically affecting versions 2.00.00 to 2.00.04. The flaw, rooted in the DotNetZip library (v1.16.0 and earlier), could allow a remote attacker to execute arbitrary code if a victim opens a malicious file, potentially compromising safety instrumented system (SIS) applications used in critical manufacturing sectors. The vulnerability is rated high severity, with a CVSS v4 score of 8.6, and exploitation requires user interaction but is considered low complexity and remotely exploitable.
Rockwell Automation discovered the issue during internal testing and reported it to CISA, emphasizing their commitment to transparency and product security. The company has released a security advisory confirming the vulnerability, noting that it has been corrected and that no known exploitation has occurred in the wild. Organizations using affected SIS Workstation versions are urged to apply available mitigations to prevent potential remote code execution attacks targeting critical infrastructure environments worldwide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA publishes ICS advisory for Rockwell AADvance-Trusted SIS Workstation
CISA released ICS advisory ICSA-25-317-10 covering Rockwell Automation AADvance-Trusted SIS Workstation. The advisory reflects government publication and broader dissemination of the vulnerability information.
DotNetZip vulnerability CVE-2024-48510 disclosed for SIS Workstation
Rockwell Automation published a security advisory for a third-party vulnerability, CVE-2024-48510, affecting its AADvance-Trusted SIS Workstation product. The advisory identifies the issue as involving the DotNetZip component.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Relative Path Traversal Vulnerability in AutomationDirect Productivity Suite
A critical relative path traversal vulnerability, identified as CVE-2025-62498, was discovered in *AutomationDirect Productivity Suite* software, specifically affecting versions up to 4.4.1.19. This vulnerability, also known as ZipSlip, allows an attacker who can tamper with a productivity project file to execute arbitrary code on the machine where the project is opened. The flaw is remotely exploitable and has been assigned a CVSS v3.1 base score of 8.8 and a CVSS v4 score of 9.3, indicating high severity. The vulnerability impacts multiple *Productivity* PLC models, including Productivity 3000, 2000, and 1000 series CPUs running affected software versions. Successful exploitation could enable attackers to gain full control over the affected system, potentially leading to information disclosure, unauthorized file access, or further compromise of industrial control environments. The vulnerability was reported to ICS-CERT, and advisories have been published to inform users and administrators of the risk and to recommend mitigation steps. No affected product table was provided in the CVE feed, but CISA's advisory lists specific impacted models and software versions, emphasizing the need for immediate attention from organizations using these products in critical infrastructure environments.
Mar 21, 2026
Multiple High-Severity Vulnerabilities in Rockwell Automation FactoryTalk Products
Rockwell Automation has disclosed several high-severity vulnerabilities affecting its FactoryTalk product line, including FactoryTalk View Machine Edition, PanelView Plus 7, and FactoryTalk ViewPoint. One of the vulnerabilities, tracked as CVE-2025-9064, is a path traversal issue in FactoryTalk View Machine Edition that allows unauthenticated attackers on the same network to delete arbitrary files from the device’s operating system, provided they know the filenames. This vulnerability is remotely exploitable and could lead to significant disruption or loss of critical files on affected devices. The company’s advisory SD1753 confirms that both FactoryTalk View Machine Edition and PanelView Plus 7 are impacted by this flaw, and that mitigations and workarounds are available. Another critical vulnerability, CVE-2025-9066, affects FactoryTalk ViewPoint and enables unauthenticated attackers to exploit XML External Entity (XXE) processing via certain SOAP requests. Successful exploitation of this flaw can result in a temporary denial-of-service condition, potentially disrupting industrial operations. Rockwell Automation’s advisory SD1752 details the XXE vulnerability, noting that it was discovered internally during routine security testing and that no known exploitation in the wild has been reported. Both vulnerabilities have been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk to industrial environments where these products are deployed. The advisories state that patches and workarounds are available, and customers are urged to apply them promptly to mitigate risk. The company emphasizes that the vulnerabilities are not currently known to be exploited in the wild, but the potential impact on industrial control systems is significant due to the products’ widespread use. The advisories also highlight Rockwell Automation’s commitment to transparency and proactive security practices, as these issues were identified through internal testing rather than external reports. Customers are encouraged to review the official advisories and implement recommended mitigations, including network segmentation and limiting access to trusted users. The affected products are commonly used in industrial automation environments, making timely remediation critical to prevent potential operational disruptions. The advisories provide detailed technical information and guidance for system administrators to assess and address the vulnerabilities. Rockwell Automation has made available downloadable advisories in Vulnerability Exploitability Exchange format for integration with vulnerability management tools. The company’s response includes both immediate patches and suggested workarounds for environments where patching may not be immediately feasible. Organizations using FactoryTalk View Machine Edition, PanelView Plus 7, or FactoryTalk ViewPoint should prioritize reviewing their exposure and applying the recommended security measures.
Mar 21, 2026
Multiple Vulnerabilities in Studio 5000 Simulation Interface Allow Local Code Execution and SSRF
Two high-severity vulnerabilities have been identified in the *Studio 5000® Simulation Interface* by Rockwell Automation. The first, tracked as CVE-2025-11697, is a local code execution flaw that allows any Windows user on the affected system to exploit the API using path traversal sequences. This can result in the extraction of files and execution of scripts with Administrator privileges upon system reboot. The second vulnerability, CVE-2025-11696, is a local server-side request forgery (SSRF) issue that enables any Windows user to trigger outbound SMB requests, potentially exposing NTLM hashes to an attacker. Both vulnerabilities were discovered internally by Rockwell Automation during routine security testing and have been disclosed as part of the company’s commitment to transparency. There is currently no evidence of exploitation in the wild, and Rockwell Automation has issued a security advisory (SD1760) confirming that fixes are available. No specific product versions have been listed as affected, but users of Studio 5000® Simulation Interface are advised to review the advisory and apply the recommended updates to mitigate risk.
Mar 21, 2026