Skip to main content

Studio 5000 CVE-2026-9127

| EUVDEUVD-2026-43708 HIGH
Incorrect Authorization (CWE-863)
2026-07-14 Rockwell GHSA-7j8p-86gv-324v
7.3
CVSS 4.0 · Vendor: Rockwell
Share

Severity by source

Vendor (Rockwell) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Local config-file tampering by an authenticated low-priv user (AV:L/PR:L), gated by conditions and victim launch (AC:H/UI:R); code runs in another user's context so scope changes (S:C) with full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Rockwell).

CVSS VectorVendor: Rockwell

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 16:02 vuln.today
CVE Published
Jul 14, 2026 - 15:10 cve.org
HIGH 7.3

DescriptionCVE.org

A remote code execution security issue exists within Studio 5000 Logix Designer® due to incorrect authorization on a configuration file. This can allow any authenticated user to modify the paths of external tools configured within the application. If exploited, an attacker could alter the configuration to point to a malicious executable, resulting in arbitrary code execution when any user interacts with the external tools functionality.

AnalysisAI

Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged user on host
Delivery
Locate misprotected external-tools config file
Exploit
Rewrite tool path to malicious executable
Execution
Wait for victim to invoke external tool
Persist
Payload executes in victim context
Impact
Arbitrary code execution on engineering workstation

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already be an authenticated, low-privileged user on a system running Studio 5000 Logix Designer (PR:L) with write access to the application's external-tools configuration file, and it requires a second user to subsequently interact with the external-tools functionality for the malicious executable to run (UI:A / active user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:L/UI:A) paints a modest real-world risk: exploitation is local, requires an existing authenticated foothold (PR:L), carries high attack complexity plus a distinct attack requirement (AC:H/AT:P), and depends on another user actively interacting with the external-tools feature (UI:A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged but authenticated user on a shared Studio 5000 engineering workstation edits the poorly-protected external-tools configuration file to repoint a legitimate tool entry at a malicious executable they have planted. When a higher-privileged engineer later clicks that external tool inside Studio 5000, the attacker's payload runs in the engineer's security context, yielding arbitrary code execution on the ICS host. …
Remediation Apply the fix described in Rockwell Automation advisory SD1783 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html); the exact patched build is not included in the provided data, so obtain the precise fixed version from that advisory rather than assuming a number - patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit and restrict file-system write permissions on external-tools configuration files to system administrators only, and document all currently configured external tools. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy