Skip to main content

Studio 5000 Logix Designer EUVDEUVD-2026-43707

| CVE-2026-9108 MEDIUM
Path Traversal (CWE-22)
2026-07-14 Rockwell GHSA-592c-v2mf-x9pf
5.4
CVSS 4.0 · Vendor: Rockwell
Share

Severity by source

Vendor (Rockwell) PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local vector as exploitation occurs on victim's workstation via file open; no attacker privileges required on target; user interaction required to open ACD file; scope unchanged with full CIA impact via arbitrary write.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Rockwell).

CVSS VectorVendor: Rockwell

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 14, 2026 - 16:08 vuln.today

DescriptionCVE.org

A path traversal security issue exists within Studio 5000 Logix Designer® due to improper limitation of file paths within ACD project files. The software does not sanitize or validate file names embedded in the ACD file structure during the project opening procedure, allowing path traversal sequences to escape the intended extraction directory. If exploited, an attacker could craft a malicious ACD project file that results in arbitrary files being written to attacker-controlled locations on the file system, potentially leading to code execution.

AnalysisAI

Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious ACD file with path traversal filenames
Delivery
Deliver file to ICS engineer via phishing or shared repository
Exploit
Engineer opens file in Logix Designer
Execution
Extraction routine writes payload to attacker-chosen filesystem path
Persist
Payload executes at system startup or application trigger
Impact
Attacker gains code execution on engineering workstation

Vulnerability AssessmentAI

Exploitation Exploitation requires a target user to actively open a maliciously crafted ACD project file in Studio 5000 Logix Designer on a Windows engineering workstation - the CVSS 4.0 UI:A metric confirms this active user interaction is mandatory and cannot be bypassed remotely. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:L/UI:A) and base score of 5.4 reflect the constrained exploitation conditions: local attack vector, high attack complexity, presence of specific preconditions (AT:P), low-privilege requirement, and mandatory active user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting an OT environment crafts a malicious ACD project file with filenames embedded in its archive structure containing path traversal sequences (e.g., '../../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/payload.bat'), then delivers the file to a control systems engineer via spear-phishing or by compromising a shared project file repository used by the engineering team. When the engineer opens the file in Studio 5000 Logix Designer, the extraction routine writes the attacker's payload to the startup folder, achieving persistent code execution on the engineering workstation at next login. …
Remediation Consult Rockwell Automation security advisory SD1783 at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html for the specific patched version and upgrade instructions, as no exact fixed version number is confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy