Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local config-file tampering by an authenticated low-priv user (AV:L/PR:L), gated by conditions and victim launch (AC:H/UI:R); code runs in another user's context so scope changes (S:C) with full C/I/A impact.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A remote code execution security issue exists within Studio 5000 Logix Designer® due to incorrect authorization on a configuration file. This can allow any authenticated user to modify the paths of external tools configured within the application. If exploited, an attacker could alter the configuration to point to a malicious executable, resulting in arbitrary code execution when any user interacts with the external tools functionality.
AnalysisAI
Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already be an authenticated, low-privileged user on a system running Studio 5000 Logix Designer (PR:L) with write access to the application's external-tools configuration file, and it requires a second user to subsequently interact with the external-tools functionality for the malicious executable to run (UI:A / active user interaction). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:L/UI:A) paints a modest real-world risk: exploitation is local, requires an existing authenticated foothold (PR:L), carries high attack complexity plus a distinct attack requirement (AC:H/AT:P), and depends on another user actively interacting with the external-tools feature (UI:A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged but authenticated user on a shared Studio 5000 engineering workstation edits the poorly-protected external-tools configuration file to repoint a legitimate tool entry at a malicious executable they have planted. When a higher-privileged engineer later clicks that external tool inside Studio 5000, the attacker's payload runs in the engineer's security context, yielding arbitrary code execution on the ICS host. … |
| Remediation | Apply the fix described in Rockwell Automation advisory SD1783 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html); the exact patched build is not included in the provided data, so obtain the precise fixed version from that advisory rather than assuming a number - patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit and restrict file-system write permissions on external-tools configuration files to system administrators only, and document all currently configured external tools. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Studio 5000 Logix Designer
View allRockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterpris
Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools confi
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterpris
Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD proj
Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XX
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43708
GHSA-7j8p-86gv-324v