Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector as exploitation occurs on victim's workstation via file open; no attacker privileges required on target; user interaction required to open ACD file; scope unchanged with full CIA impact via arbitrary write.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A path traversal security issue exists within Studio 5000 Logix Designer® due to improper limitation of file paths within ACD project files. The software does not sanitize or validate file names embedded in the ACD file structure during the project opening procedure, allowing path traversal sequences to escape the intended extraction directory. If exploited, an attacker could craft a malicious ACD project file that results in arbitrary files being written to attacker-controlled locations on the file system, potentially leading to code execution.
AnalysisAI
Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a target user to actively open a maliciously crafted ACD project file in Studio 5000 Logix Designer on a Windows engineering workstation - the CVSS 4.0 UI:A metric confirms this active user interaction is mandatory and cannot be bypassed remotely. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:L/UI:A) and base score of 5.4 reflect the constrained exploitation conditions: local attack vector, high attack complexity, presence of specific preconditions (AT:P), low-privilege requirement, and mandatory active user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting an OT environment crafts a malicious ACD project file with filenames embedded in its archive structure containing path traversal sequences (e.g., '../../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/payload.bat'), then delivers the file to a control systems engineer via spear-phishing or by compromising a shared project file repository used by the engineering team. When the engineer opens the file in Studio 5000 Logix Designer, the extraction routine writes the attacker's payload to the startup folder, achieving persistent code execution on the engineering workstation at next login. … |
| Remediation | Consult Rockwell Automation security advisory SD1783 at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html for the specific patched version and upgrade instructions, as no exact fixed version number is confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Studio 5000 Logix Designer
View allRockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterpris
Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools confi
Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authentic
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterpris
Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XX
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43707
GHSA-592c-v2mf-x9pf