Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability exists in the Rockwell Automation Verve Asset Manager due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.
AnalysisAI
A vulnerability exists in the Rockwell Automation Verve Asset Manager due to insufficient variable sanitizing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
A vulnerability exists in the Rockwell Automation Verve Asset Manager due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.
Affected ProductsAI
See vendor advisory for affected versions.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflo
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read o
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a stack-based memory buffer overflo
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read o
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to read o
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write
A local code execution vulnerability exists in the Rockwell Automation Arena® due to a threat actor being able to write
A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. Rated hig
A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. Rated hig
A denial-of-service vulnerability exists in the Rockwell Automation ThinManager. Rated high severity (CVSS 8.5), this vu
A privilege escalation vulnerability exists in the Rockwell Automation ThinManager. Rated high severity (CVSS 8.5), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today