Published Date: 12/04/24
Last updated: August 6, 2025
Revision Number: 2.0
CVSS Score: v3.1: 7.8, v4.0 8.5
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Software - Arena
|
CVE-2024-11155 |
All versions 16.20.00 and prior |
V16.20.06 and later |
CVE-2044-11156
|
All versions 16.20.03 and prior |
V16.20.06 and later |
|
CVE-2024-11158
|
All versions 16.20.00 and prior |
V16.20.06 and later |
|
All versions 16.20.05 and prior |
V16.20.06 and later
|
||
CVE-2024-11157
|
All versions 16.20.06 and prior |
V16.20.07 and later
|
|
CVE-2024-12175
|
All versions 16.20.06 and prior |
V16.20.07 and later |
|
Software – Arena® 32 bit |
|
All versions 16.20.07 and prior |
n/a – see mitigations |
CVE-2024-11364
|
All versions 16.20.06 and prior |
V16.20.07 and later |
SECURITY ISSUE DETAILS
Rockwell Automation useS the latest version of the CVSS scoring system to assess the security issues. These security issues were reported by ZDI (Zero Day Initiative).
CVE-2024-11155 IMPACT
A “use after free” code execution security issue exists in the affected products. These could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this issue to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-416 Use After Free
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11156 IMPACT
An “out of bounds write” code execution security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11158 IMPACT
An “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-665 Improper Initialization
Known Exploited Vulnerability (KEV) database: No
CVE-2024-12130 IMPACT
An “out of bounds read” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11157
A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395 Dependency on third-party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11364
Another “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395 Dependency on third-party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2024-12175
Another “use after free” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-416 Use After Free
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software should use the risk mitigations.
- Do not load untrusted Arena® model files.
- Hold the control key down when loading files to help prevent the VBA file stream from loading.
For information on how to mitigate Security Risks, use our suggested security best practices.
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories
Glossary
DOE file: store model data using a Microsoft Compound File format, which acts as a container for several data streams
Out of bounds read vulnerability: when a program reads data from a memory location outside the bounds of a array or buffer
Out of bounds write code vulnerability: a software vulnerability where a program writes beyond the bounds of an allowed area of memory
Third-party vulnerability: a weakness or flaw in an external vendor, supplier, or service provider’s system, process, or software that can be exploited to compromise the security of a connected organization.
Uninitialized variable vulnerability: occurs when a program accesses a variable before it has been initialized
Use-After-Free (UAF) vulnerability: a type of memory corruption vulnerability that occurs when a program continues to access memory locations that have already been freed.
