Skip to main content

Studio 5000 EUVDEUVD-2026-43711

| CVE-2026-9128 HIGH
Unquoted Search Path or Element (CWE-428)
2026-07-14 Rockwell GHSA-9425-qrrg-4g6q
7.3
CVSS 4.0 · Vendor: Rockwell
Share

Severity by source

Vendor (Rockwell) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.7 MEDIUM

Local access with low privileges (AV:L/PR:L), requires a writable earlier path plus operator action (AC:H/UI:R); code runs in the user's own context so scope unchanged (S:U) with full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Rockwell).

CVSS VectorVendor: Rockwell

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 16:03 vuln.today
CVE Published
Jul 14, 2026 - 15:12 cve.org
HIGH 7.3

DescriptionCVE.org

A code execution security issue exists within Studio 5000 Logix Designer® due to an unquoted search path in the External Tools configuration. The executable paths specified in the external tools configuration file are not properly quoted, and because these paths contain spaces, the operating system may resolve them to unintended executables placed earlier in the search order. If exploited, an attacker could plant a malicious executable in a location within the search path, resulting in arbitrary code execution with the same permissions of the user running the application.

AnalysisAI

Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools configuration stores executable paths that contain spaces without quoting (CWE-428). A low-privileged local user who can write a malicious binary into an earlier segment of the resolved search path can have Windows execute it in place of the intended tool, running code with the privileges of the operator using the application. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privileged local access to engineering workstation
Delivery
Plant malicious executable in earlier search-path directory
Exploit
Legitimate user launches affected External Tool
Execution
Windows resolves unquoted path to planted binary
Impact
Arbitrary code executes with user's privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the machine running Studio 5000 Logix Designer with at least low-privilege authenticated rights (PR:L), plus the ability to write a malicious executable into a directory that appears earlier in the resolved, unquoted External Tools search path - the specific configuration element being an external-tool executable path that contains spaces and is stored unquoted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a legitimate but conditional escalation/execution primitive rather than a mass-exploitable remote flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An insider or an attacker who has already compromised a low-privileged account on an engineering workstation drops a malicious 'Program.exe' (or similarly named binary) into a writable directory that precedes the intended external tool in the search order. When an engineer later launches the affected External Tool from within Studio 5000 Logix Designer, Windows resolves the unquoted path to the planted executable and runs it with that engineer's privileges. …
Remediation Apply the update identified in Rockwell Automation security advisory SD1783 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html); an exact fixed version is not included in the provided data, so obtain it directly from that advisory rather than assuming a version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Studio 5000 Logix Designer and audit which users have local access; implement principle-of-least-privilege on affected machines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy