Published Date: 8/5/2025
Last Updated: 8/5/2025
Revision Number: 1.0
CVSS Score: 8.4/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
Arena® Simulation |
CVE-2025-7025 |
16.20.09 and prior |
|
CVE-2025-7032 |
16.20.09 and prior |
||
CVE-2025-7033 |
16.20.09 and prior |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues. The vulnerabilities were reported by Michael Heinzl.
CVE-2025-7025 IMPACT
A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-125 Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
CVE-2025-7032 IMPACT
A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-121: Stack-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No
CVE-2025-7033 IMPACT
A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-122: Heap-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary
· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
· Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
