Skip to main content

Studio 5000 Logix Designer

7 CVEs product

Monthly

CVE-2026-9128 HIGH This Week

Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools configuration stores executable paths that contain spaces without quoting (CWE-428). A low-privileged local user who can write a malicious binary into an earlier segment of the resolved search path can have Windows execute it in place of the intended tool, running code with the privileges of the operator using the application. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 score is 7.3 (High), tempered by local access, high attack complexity, a present attack requirement, and required active user interaction.

RCE Studio 5000 Logix Designer
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-9127 HIGH This Week

Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).

Authentication Bypass RCE Studio 5000 Logix Designer
NVD
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-9108 MEDIUM This Month

Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. No public exploit code or CISA KEV listing has been identified at time of analysis, but the ICS context makes targeted file-delivery attacks via spear-phishing or shared project repositories a realistic threat vector.

Path Traversal RCE Studio 5000 Logix Designer
NVD
CVSS 4.0
5.4
EPSS
0.1%
CVE-2021-22681 CRITICAL KEV THREAT Act Now

Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Rockwell Authentication Bypass Factorytalk Services Platform Rslogix 5000 Studio 5000 Logix Designer
NVD
CVSS 3.1
9.8
EPSS
25.5%
CVE-2020-12025 LOW Monitor

Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Rockwell XXE Studio 5000 Logix Designer
NVD
CVSS 3.1
3.3
EPSS
1.5%
CVE-2020-12034 HIGH PATCH This Week

Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Eds Subsystem Rslinx Rslinx Enterprise Rsnetworx +1
NVD
CVSS 3.1
8.2
EPSS
1.3%
CVE-2020-12038 MEDIUM PATCH This Month

Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Eds Subsystem Rslinx Rslinx Enterprise Rsnetworx +1
NVD
CVSS 3.1
5.5
EPSS
2.5%
EPSS 0% CVSS 7.3
HIGH This Week

Local arbitrary code execution in Rockwell Automation Studio 5000 Logix Designer arises because the External Tools configuration stores executable paths that contain spaces without quoting (CWE-428). A low-privileged local user who can write a malicious binary into an earlier segment of the resolved search path can have Windows execute it in place of the intended tool, running code with the privileges of the operator using the application. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 score is 7.3 (High), tempered by local access, high attack complexity, a present attack requirement, and required active user interaction.

RCE Studio 5000 Logix Designer
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Local authenticated code execution in Rockwell Automation Studio 5000 Logix Designer allows any low-privileged authenticated user to tamper with the incorrectly-protected external-tools configuration file (CWE-863) and redirect a configured tool path to a malicious executable. Because the payload runs when a different user later invokes the external tools feature, this is effectively a privilege-crossing RCE against the engineering workstation. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation is gated by high attack complexity, a specific attack requirement, and required victim interaction (CVSS 4.0 base 7.3).

Authentication Bypass RCE Studio 5000 Logix Designer
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. No public exploit code or CISA KEV listing has been identified at time of analysis, but the ICS context makes targeted file-delivery attacks via spear-phishing or shared project repositories a realistic threat vector.

Path Traversal RCE Studio 5000 Logix Designer
NVD
EPSS 25% CVSS 9.8
CRITICAL KEV THREAT Act Now

Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Rockwell Authentication Bypass Factorytalk Services Platform +2
NVD
EPSS 2% CVSS 3.3
LOW Monitor

Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 32.01, and 32.02 vulnerable to an xml external entity (XXE) vulnerability, which may allow an attacker to view hostnames or other. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Rockwell XXE Studio 5000 Logix Designer
NVD
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Eds Subsystem Rslinx +3
NVD
EPSS 3% CVSS 5.5
MEDIUM PATCH This Month

Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior,. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Eds Subsystem Rslinx +3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy