Rockwellautomation
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Rockwellautomation product.
RSS Feeds for Rockwellautomation security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Rockwellautomation products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Rockwellautomation Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 14 vulnerabilities in Rockwellautomation with an average score of 7.8 out of ten. Last year, in 2025 Rockwellautomation had 42 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Rockwellautomation in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.13.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 14 | 7.80 |
| 2025 | 42 | 7.67 |
| 2024 | 45 | 8.11 |
| 2023 | 30 | 8.08 |
| 2022 | 31 | 8.30 |
| 2021 | 3 | 8.43 |
| 2020 | 25 | 7.38 |
| 2019 | 7 | 8.65 |
| 2018 | 6 | 5.50 |
It may take a day or so for new Rockwellautomation vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Rockwellautomation Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2019-25276 | Feb 04, 2026 |
Studio 5000 Logix 30.01 Unquoted FTA Path ElevationStudio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\ to inject malicious code that would execute with LocalSystem permissions. |
|
| CVE-2025-9283 | Jan 20, 2026 |
CVE-2025-9283: ArmorStart LT Eth/IP DDoS via Achilles Step Limits StormsA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. |
|
| CVE-2025-9282 | Jan 20, 2026 |
DoS via Reboot in ArmorStart® LT During Achilles TestsA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. |
|
| CVE-2025-9281 | Jan 20, 2026 |
CVE-2025-9281: ArmorStart LT Device DOS via Achilles Storm TestA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots |
|
| CVE-2025-9280 | Jan 20, 2026 |
ArmorStart LT Device DoS from Defensics FuzzingA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. |
|
| CVE-2025-14027 | Jan 20, 2026 |
DoS via Malformed Class 3 Messages in Rockwell Automation ControlLogixMultiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios. Exploitation may cause the device to become unresponsive and, in some cases, result in a major nonrecoverable fault. Recovery may require a restart. |
|
| CVE-2025-9279 | Jan 20, 2026 |
ArmorStart LT DoS via Achilles EtherNet/IP Step Limit Storm TestsA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. |
|
| CVE-2025-9278 | Jan 20, 2026 |
ICMP DoS in ArmorStart® LT triggered by Burp Suite active scanA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. |
|
| CVE-2025-9466 | Jan 20, 2026 |
DDoS from Achilles ETL Tests on Rockwell ArmorStart LTA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. |
|
| CVE-2025-11743 | Jan 20, 2026 |
CVE-2025-11743: DoS via Malformed CIP Forward Open in Rockwell PLCA denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover. |
|
| CVE-2025-9465 | Jan 20, 2026 |
ArmorStart LT DoS via Achilles Grammar Tests RebootA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. |
|
| CVE-2025-9464 | Jan 20, 2026 |
Denial-of-Service in ArmorStart LT via CIP FuzzingA security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. |
|
| CVE-2025-14377 | Jan 20, 2026 |
Verve Asset Manager: Legacy Ansible Playbook Plaintext Secrets before v1.36A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024. |
|
| CVE-2025-14376 | Jan 20, 2026 |
Plaintext Secrets in Verve Asset Manager ADI Server (1.36)A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024. |
|
| CVE-2025-13824 | Dec 15, 2025 |
PLC Hard Fault via Malformed CIP Packets (CPE 0xF019)A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code0xF019. To recover,clear the fault. |
|
| CVE-2025-13823 | Dec 15, 2025 |
IPv6 Stack Fault in Micro850/870 ControllersA security issue was found in the IPv6 stack in the Micro850 and Micro870 controllers when the controllers received multiple malformed packets during fuzzing. The controllers will go into recoverable fault with fault code 0xFE60. To recover the controller, clear the fault. |
|
| CVE-2025-9368 | Dec 09, 2025 |
DoS in GuardLink EtherNet/IP Interface on 432ES-IG3 Series AA security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. A manual power cycle is required to recover the device. |
|
| CVE-2025-12807 | Dec 09, 2025 |
DataMosaix Private Cloud API lowprivilege DB op flawA security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints. |
Factorytalk Datamosaix Private Cloud
|
| CVE-2025-11918 | Nov 14, 2025 |
Arena DOE File Parsing Stack Buffer Overflow (CVE-2025-11918)Rockwell Automation Arena® suffers from a stack-based buffer overflow vulnerability. The specific flaw exists within the parsing of DOE files. Local attackers are able to exploit this issue to potentially execute arbitrary code on affected installations of Arena®. Exploiting the vulnerability requires opening a malicious DOE file. |
Arena Simulation
Arena
|
| CVE-2025-11697 | Nov 11, 2025 |
Local Code Execution in Studio 5000 Simulation Interface API via Path TraversalA local code execution security issue exists within Studio 5000® Simulation Interface via the API. This vulnerability allows any Windows user on the system to extract files using path traversal sequences, resulting in execution of scripts with Administrator privileges on system reboot. |
Studio 5000 Simulation Interface
|
| CVE-2025-11696 | Nov 11, 2025 |
Studio 5000 Simulation Interface API SSRF Enables NTLM Hash CaptureA local server-side request forgery (SSRF) security issue exists within Studio 5000® Simulation Interface via the API. This vulnerability allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes. |
Studio 5000 Simulation Interface
|
| CVE-2025-11862 | Nov 11, 2025 |
Verve Asset Manager API User Privilege Escalation (CVE-2025-11862)A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API. |
Verve Asset Manager
|
| CVE-2025-11085 | Nov 11, 2025 |
DataMosaix Private Cloud Persistent XSS Enabling JavaScript ExecutionA security issue exists within DataMosaix Private Cloud allowing for Persistent XSS. This vulnerability can result in the execution of malicious JavaScript, allowing for account takeover, credential theft, or redirection to a malicious website. |
Factorytalk Datamosaix Private Cloud
|
| CVE-2025-11084 | Nov 11, 2025 |
DataMosaix Private Cloud MFA Bypass Obtain Auth Token Without PassA security issue exists within DataMosaix Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. |
Factorytalk Datamosaix Private Cloud
|
| CVE-2025-9178 | Oct 14, 2025 |
CIP DoS via Crafted Payloads in EtherNet/IP Adapter 1715A denial-of-service security issue exists in the affected product and version. The security issue is caused through CIP communication using crafted payloads. The security issue could result in no CIP communication with 1715 EtherNet/IP Adapter.A restart is required to recover. |
|
| CVE-2025-9177 | Oct 14, 2025 |
DoS via Excessive Requests on Unidentified Web ServerA denial-of-service security issue exists in the affected product and version. The security issue stems from a high number of requests sent to the web server. This could result in a web server crash however; this does not impact I/O control or communication . A power cycle is required to recover and utilize the webpage. |
|
| CVE-2025-7330 | Oct 14, 2025 |
CSRF in admin form allows unintended config modificationA cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link. |
|
| CVE-2025-7329 | Oct 14, 2025 |
Stored XSS via Config Field Update in Unknown Web AppA Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable. The vulnerability stems from missing special character filtering and encoding. Successful exploitation requires an attacker to be able to update configuration fields behind admin login. |
|
| CVE-2025-7328 | Oct 14, 2025 |
Broken Auth in Device Enables Admin Takeover & NAT Rule ModsMultiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore. |
|
| CVE-2025-9067 | Oct 14, 2025 |
Privilege Escalation via MSI Repair in FTLinxA security issue exists within the x86 Microsoft Installer File (MSI), installed with FTLinx. Authenticated attackers with valid Windows user credentials can initiate a repair and hijack the resulting console window. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources. |
Factorytalk Linx
|
| CVE-2025-9124 | Oct 14, 2025 |
Denial of Service via Crafted CIP Unconnected Explicit MessageA denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault. |
|
| CVE-2025-9068 | Oct 14, 2025 |
CVE-2025-9068: Windows MSI Repair Hijack to SYSTEM for Rockwell Automation DriverA security issue exists within the Rockwell Automation Driver Package x64 Microsoft Installer File (MSI) repair functionality, installed with FTLinx. Authenticated attackers with valid Windows Users credentials can initiate a repair and hijack the resulting console window for vbpinstall.exe. This allows the launching of a command prompt running with SYSTEM-level privileges, allowing full access to all files, processes, and system resources. |
Factorytalk Linx
|
| CVE-2025-9064 | Oct 14, 2025 |
FactoryTalk View Machine Edition Path Traversal Deletes Files on Panels OSA path traversal security issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file within the panels operating system. Exploitation of this vulnerability is dependent on the knowledge of filenames to be deleted. |
Factorytalk View
|
| CVE-2025-9063 | Oct 14, 2025 |
Auth Bypass in FactoryTalk View Machine Edition Web Browser ActiveX ControlAn authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView Plus 7 Series B, including access to the file system, retrieval of diagnostic information, event logs, and more. |
|
| CVE-2025-9066 | Oct 14, 2025 |
FactoryTalk ViewPoint Unauth XXE via SOAP Causing Temp DoSA security issue was discovered within FactoryTalk® ViewPoint, allowing unauthenticated attackers to achieve XXE. Certain SOAP requests can be abused to perform XXE, resulting in a temporary denial-of-service. |
Factorytalk View
|
| CVE-2025-9437 | Oct 14, 2025 |
DDoS via Invalid COM Input in ArmorStart Classic (Studio 5000 Logix AOP)A security issue exists within the Studio 5000 Logix Designer add-on profile (AOP) for the ArmorStart Classic distributed motor controller, resulting in denial-of-service. This vulnerability is possible due to the input of invalid values into Component Object Model (COM) methods. |
|
| CVE-2025-7033 | Aug 05, 2025 |
Memory Abuse RCE in Rockwell Arena Simulation via Malicious FileA memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information. |
Arena
|
| CVE-2025-7025 | Aug 05, 2025 |
Arena Simulation RCE via Memory Overwrite with Bad FileA memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information. |
Arena
|
| CVE-2025-7032 | Aug 05, 2025 |
Arena Simulation FUA/IO Buffer Overflow | RCE via Custom FileA memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information. |
Arena
Arena Simulation
|
| CVE-2025-6377 | Jul 09, 2025 |
Rockwell Arena Simulation: RCE via crafted DOE fileA remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P. |
Arena
Arena Simulation
|
| CVE-2025-6376 | Jul 09, 2025 |
RCE via Malformed DOE File in Rockwell Automation ArenaA remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P. |
Arena
|
| CVE-2025-3618 | Apr 15, 2025 |
ThinManager DoS via Type18 Msg MemAlloc ErrorA denial-of-service vulnerability exists in the Rockwell Automation ThinManager. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial-of-service on the target software. |
Thinmanager
|
| CVE-2025-3617 | Apr 15, 2025 |
Privilege Escalation in Rockwell ThinManager via Temp Folder ACLA privilege escalation vulnerability exists in the Rockwell Automation ThinManager. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges. |
Thinmanager
|
| CVE-2025-3285 | Apr 08, 2025 |
Rockwell Arena LCE via DOE file memory buffer overreadA local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. |
Arena
|
| CVE-2025-3289 | Apr 08, 2025 |
CVE-2025-3289: LCE via Stack Buffer Overflow in Rockwell ArenaA local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. |
Arena
|
| CVE-2025-3288 | Apr 08, 2025 |
Rockwell Arena LCE: OOB Read via malicious DOE fileA local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. |
Arena
|
| CVE-2025-3287 | Apr 08, 2025 |
Rockwell Automation Arena LCE via Stack Buffer OverflowA local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. |
Arena
|
| CVE-2025-3286 | Apr 08, 2025 |
LCE via Buffer Overflow in Rockwell Automation Arena (DOE file)A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. |
Arena
|
| CVE-2025-2286 | Apr 08, 2025 |
Rockwell Automation Arena LCE via Uninitialized Pointer in DOE FileA local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. |
Arena
|
| CVE-2025-2287 | Apr 08, 2025 |
LCE in Rockwell Automation Arena via uninitialized pointer in DOE fileA local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. |
Arena
|