Studio 5000 Logix Designer
Monthly
Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools configuration stores executable paths that contain spaces without quoting (CWE-428). A low-privileged local user who can write a malicious binary into an earlier segment of the resolved search path can have Windows execute it in place of the intended tool, running code with the privileges of the operator using the application. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 score is 7.3 (High), tempered by local access, high attack complexity, a present attack requirement, and required active user interaction.
Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).
Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. No public exploit code or CISA KEV listing has been identified at time of analysis, but the ICS context makes targeted file-delivery attacks via spear-phishing or shared project repositories a realistic threat vector.
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.
Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools configuration stores executable paths that contain spaces without quoting (CWE-428). A low-privileged local user who can write a malicious binary into an earlier segment of the resolved search path can have Windows execute it in place of the intended tool, running code with the privileges of the operator using the application. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 score is 7.3 (High), tempered by local access, high attack complexity, a present attack requirement, and required active user interaction.
Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).
Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. No public exploit code or CISA KEV listing has been identified at time of analysis, but the ICS context makes targeted file-delivery attacks via spear-phishing or shared project repositories a realistic threat vector.
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.