RSA Archer CVE-2025-50572
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Injecting into Archer needs an authenticated user (PR:L); victim must open the export and bypass modern spreadsheet warnings (UI:R, AC:H); code runs on a separate workstation, not the server (S:C).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product.
AnalysisAI
Arbitrary code execution via CSV/formula injection in RSA Archer (Archer IRM) 6.11.00204.10014 lets an attacker plant spreadsheet formulas through system input fields that are later written into exported CSV files; when a victim opens the export in Excel or a compatible application, the embedded formula runs on their workstation. Publicly available exploit code exists (a proof-of-concept GitHub repository), but the issue is disputed by the vendor and is not listed in CISA KEV. Impact depends entirely on a victim opening the malicious export and bypassing modern spreadsheet warnings, so real-world severity is lower than the 8.8 CVSS suggests.
Technical ContextAI
This is a classic CSV formula/dynamic-data injection issue (CWE-1236, Improper Neutralization of Formula Elements in a CSV File). RSA Archer is an enterprise Integrated Risk Management (GRC) platform where users enter data into records and fields; when that data is exported to CSV, values beginning with formula-trigger characters (=, +, -, @, and tab/carriage-return variants) are not neutralized. Spreadsheet applications such as Microsoft Excel and LibreOffice Calc interpret these leading characters as live formulas, and functions like DDE, HYPERLINK, or WEBSERVICE (or legacy cmd/DDE payloads) can be abused to run commands or exfiltrate data on the machine that opens the file. Critically, the code does NOT execute on the Archer server - it executes in the client application of whoever opens the export, so this is fundamentally a downstream/output-encoding defect rather than a server-side RCE.
Affected ProductsAI
The report names RSA Archer (also branded Archer IRM / RSA Archer Suite) version 6.11.00204.10014, and the vendor community advisory indicates the formula-injection behavior affects RSA Archer 6.1.x and higher. No CPE string or EPSS data was supplied to pin the exact platform range beyond these values. Details are documented in the vendor/community post at https://www.archerirm.community/s/blogs/formula-injection-into-csv-files-vulnerability-in-rsa-archer-6-1-x-and-higher-MCOCQFO3WCQBCCHMKNC74JGSFWQY and a third-party proof of concept at https://github.com/shorooq-hummdi/Archer-csv-injection-command-exec/blob/main/README.md.
RemediationAI
No vendor-released patch is identified at time of analysis - the supplier disputes the report, so no fixed version number can be cited; do not assume an upstream release addresses it. Because this is an output-encoding flaw, the practical fix is at export time: sanitize exported CSV values by prefixing any cell beginning with =, +, -, @, tab, or carriage return with a single quote or a leading space, or wrap such values so the spreadsheet treats them as text (trade-off: alters exported data cosmetically and may affect downstream parsing of legitimate numeric/formula-looking values). On the client side, enforce Microsoft Office hardening via GPO: keep Protected View enabled, disable Dynamic Data Exchange (DDE) and automatic link/formula updates, and block or warn on WEBSERVICE/HYPERLINK auto-execution (trade-off: may break legitimate spreadsheets that rely on external links). Restrict who can enter data into Archer fields that feed exports, and treat CSV exports of user-supplied content as untrusted. Review the vendor community advisory (https://www.archerirm.community/s/blogs/formula-injection-into-csv-files-vulnerability-in-rsa-archer-6-1-x-and-higher-MCOCQFO3WCQBCCHMKNC74JGSFWQY) for any vendor guidance.
Share
External POC / Exploit Code
Leaving vuln.today