Skip to main content

RSA Archer CVE-2025-50572

HIGH
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2025-07-31 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Injecting into Archer needs an authenticated user (PR:L); victim must open the export and bypass modern spreadsheet warnings (UI:R, AC:H); code runs on a separate workstation, not the server (S:C).

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 14:31 vuln.today

DescriptionCVE.org

Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product.

AnalysisAI

Arbitrary code execution via CSV/formula injection in RSA Archer (Archer IRM) 6.11.00204.10014 lets an attacker plant spreadsheet formulas through system input fields that are later written into exported CSV files; when a victim opens the export in Excel or a compatible application, the embedded formula runs on their workstation. Publicly available exploit code exists (a proof-of-concept GitHub repository), but the issue is disputed by the vendor and is not listed in CISA KEV. Impact depends entirely on a victim opening the malicious export and bypassing modern spreadsheet warnings, so real-world severity is lower than the 8.8 CVSS suggests.

Technical ContextAI

This is a classic CSV formula/dynamic-data injection issue (CWE-1236, Improper Neutralization of Formula Elements in a CSV File). RSA Archer is an enterprise Integrated Risk Management (GRC) platform where users enter data into records and fields; when that data is exported to CSV, values beginning with formula-trigger characters (=, +, -, @, and tab/carriage-return variants) are not neutralized. Spreadsheet applications such as Microsoft Excel and LibreOffice Calc interpret these leading characters as live formulas, and functions like DDE, HYPERLINK, or WEBSERVICE (or legacy cmd/DDE payloads) can be abused to run commands or exfiltrate data on the machine that opens the file. Critically, the code does NOT execute on the Archer server - it executes in the client application of whoever opens the export, so this is fundamentally a downstream/output-encoding defect rather than a server-side RCE.

Affected ProductsAI

The report names RSA Archer (also branded Archer IRM / RSA Archer Suite) version 6.11.00204.10014, and the vendor community advisory indicates the formula-injection behavior affects RSA Archer 6.1.x and higher. No CPE string or EPSS data was supplied to pin the exact platform range beyond these values. Details are documented in the vendor/community post at https://www.archerirm.community/s/blogs/formula-injection-into-csv-files-vulnerability-in-rsa-archer-6-1-x-and-higher-MCOCQFO3WCQBCCHMKNC74JGSFWQY and a third-party proof of concept at https://github.com/shorooq-hummdi/Archer-csv-injection-command-exec/blob/main/README.md.

RemediationAI

No vendor-released patch is identified at time of analysis - the supplier disputes the report, so no fixed version number can be cited; do not assume an upstream release addresses it. Because this is an output-encoding flaw, the practical fix is at export time: sanitize exported CSV values by prefixing any cell beginning with =, +, -, @, tab, or carriage return with a single quote or a leading space, or wrap such values so the spreadsheet treats them as text (trade-off: alters exported data cosmetically and may affect downstream parsing of legitimate numeric/formula-looking values). On the client side, enforce Microsoft Office hardening via GPO: keep Protected View enabled, disable Dynamic Data Exchange (DDE) and automatic link/formula updates, and block or warn on WEBSERVICE/HYPERLINK auto-execution (trade-off: may break legitimate spreadsheets that rely on external links). Restrict who can enter data into Archer fields that feed exports, and treat CSV exports of user-supplied content as untrusted. Review the vendor community advisory (https://www.archerirm.community/s/blogs/formula-injection-into-csv-files-vulnerability-in-rsa-archer-6-1-x-and-higher-MCOCQFO3WCQBCCHMKNC74JGSFWQY) for any vendor guidance.

Share

CVE-2025-50572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy