Loading

Local Code Execution Vulnerabilities in Arena®

Severity:
High
Advisory ID:
SD1726
发布日期:
April 07, 2025
上次更新时间:
April 07, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
否
Corrected:
是
Workaround:
否
CVE IDs
CVE-2025-2285,
CVE-2025-2286,
CVE-2025-2287,
CVE-2025-2288,
CVE-2025-2293,
CVE-2025-2829,
CVE-2025-3285,
CVE-2025-3286,
CVE-2025-3287,
CVE-2025-3288,
CVE-2025-3289
下载
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
CVE-2025-2285
CVE-2025-2286
CVE-2025-2287
CVE-2025-2288
CVE-2025-2293
CVE-2025-2829
CVE-2025-3285
CVE-2025-3286
CVE-2025-3287
CVE-2025-3288
CVE-2025-3289
摘要

Published Date: 4/8/2025

Last updated: 4/8/2025

Revision Number: 1.0

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

Arena®

16.20.08 and earlier

16.20.09

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Michael Heinzl.

CVE-2025-2285

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

CVE-2025-2286

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

 

CVE-2025-2287

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

CVE-2025-2288

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-2293

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-2829

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-3285

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3286

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3287

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3288

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

 

CVE-2025-3289

A local code execution vulnerability exists in the affected products due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 121 – Stack-based Buffer Overflow

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页 Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 隐私政策
CloseClose