Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local access with low privileges (AV:L/PR:L), requires a writable earlier path plus operator action (AC:H/UI:R); code runs in the user's own context so scope unchanged (S:U) with full C/I/A impact.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A code execution security issue exists within Studio 5000 Logix Designer® due to an unquoted search path in the External Tools configuration. The executable paths specified in the external tools configuration file are not properly quoted, and because these paths contain spaces, the operating system may resolve them to unintended executables placed earlier in the search order. If exploited, an attacker could plant a malicious executable in a location within the search path, resulting in arbitrary code execution with the same permissions of the user running the application.
AnalysisAI
Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools configuration stores executable paths that contain spaces without quoting (CWE-428). A low-privileged local user who can write a malicious binary into an earlier segment of the resolved search path can have Windows execute it in place of the intended tool, running code with the privileges of the operator using the application. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the machine running Studio 5000 Logix Designer with at least low-privilege authenticated rights (PR:L), plus the ability to write a malicious executable into a directory that appears earlier in the resolved, unquoted External Tools search path - the specific configuration element being an external-tool executable path that contains spaces and is stored unquoted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a legitimate but conditional escalation/execution primitive rather than a mass-exploitable remote flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An insider or an attacker who has already compromised a low-privileged account on an engineering workstation drops a malicious 'Program.exe' (or similarly named binary) into a writable directory that precedes the intended external tool in the search order. When an engineer later launches the affected External Tool from within Studio 5000 Logix Designer, Windows resolves the unquoted path to the planted executable and runs it with that engineer's privileges. … |
| Remediation | Apply the update identified in Rockwell Automation security advisory SD1783 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html); an exact fixed version is not included in the provided data, so obtain it directly from that advisory rather than assuming a version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Studio 5000 Logix Designer and audit which users have local access; implement principle-of-least-privilege on affected machines. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Studio 5000 Logix Designer
View allRockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterpris
Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authentic
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterpris
Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD proj
Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XX
Same weakness CWE-428 – Unquoted Search Path or Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43711
GHSA-9425-qrrg-4g6q