Loading

Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability

Severity:
High
Advisory ID:
SD1729
Data pubblicazione:
July 09, 2025
Ultimo aggiornamento:
July 09, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Sì
Workaround:
No
CVE IDs
CVE-2025-6377 ,
CVE-2025-6376
Download
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
Riepilogo

Published Date: 7/9/2025
Last Updated: 7/9/2025
Revision Number: 1.0
CVSS Score: 7.1/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected  Product

CVE

First Known in Software Version

Corrected in Software Version

Software - Arena®

CVE-2025-6377

16.20.08 and earlier

16.20.09 and later

Software - Arena®

CVE-2025-6376

16.20.08 and earlier

16.20.09 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerability. The vulnerability was reported by Zero Day Initiative (ZDI).

CVE-2025-6377 IMPACT

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

Rockwell CVSS Score:

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2025-6376 IMPACT 

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

 

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

Rockwell CVSS Score

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE: CWE-20 Improper Input Validation 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied. 

·         Security Best Practices

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Glossary

DOE File: A DOE file, or Design of Experiments file, is a document used to plan and organize an experiment efficiently. It helps in systematically arranging tests and analyzing the effects of multiple factors and their interactions on a response variable.

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Home Rockwell Automation Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Aggiorna le tue preferenze sui cookie per continuare.
Questa funzionalità richiede i cookie per migliorare la tua esperienza. Ti preghiamo di aggiornare le tue preferenze per consentire questi cookie:
  • Cookie dei social media
  • Cookie funzionali
  • Cookie di prestazione
  • Cookie di marketing
  • Tutti i cookie
Puoi aggiornare le tue preferenze in qualsiasi momento. Per ulteriori informazioni consultare il nostro {0} politica sulla riservatezza
CloseClose