Published Date: 4/8/2025
Last updated: 4/8/2025
Revision Number: 1.0
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
Arena® |
16.20.08 and earlier |
16.20.09 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Michael Heinzl.
CVE-2025-2285
A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE- 457 Uninitialized Variable
CVE-2025-2286
A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE- 457 Uninitialized Variable
CVE-2025-2287
A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE- 457 Uninitialized Variable
CVE-2025-2288
A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 787 - Out of Bounds Write
CVE-2025-2293
A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 787 - Out of Bounds Write
CVE-2025-2829
A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 787 - Out of Bounds Write
CVE-2025-3285
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3286
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3287
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3288
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3289
A local code execution vulnerability exists in the affected products due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 121 – Stack-based Buffer Overflow
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
