Local Code Execution Vulnerability in Rockwell Automation Arena
CVE-2025-2288

8.5HIGH

Key Information:

Vendor: Rockwell Automation
Status: Arena®
Vendor: CVE Published:; 8 April 2025

Summary

A local code execution vulnerability in Rockwell Automation Arena could allow an attacker to execute arbitrary code by writing outside of the allocated memory buffer. This flaw arises from improper validation of user-supplied data, enabling threat actors to potentially disclose sensitive information or run malicious code. To exploit this vulnerability, a legitimate user must inadvertently open a specially crafted DOE file, making it essential for users to be cautious about opening unknown files.

Affected Version(s)

Arena® 16.20.08 and earlier

References

https://www.rockwellautomation.com/en-us/trust-center/sec...

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Mar 13, 2025