Published Date: 3/25/25
Revision Number: 1.0
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
Affected Version(s)
|
Corrected in Software Revision
|
Verve Asset Manager
|
<=1.39
|
V1.40
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-1449 IMPACT
A vulnerability exists in the affected product due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.
CVSS Base Score v3.1: 9.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Base Score v4.0: 8.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE: CWE-1287: Improper Validation of Specified Type of Input
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
