{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-6377","assignerOrgId":"b73dd486-f505-4403-b634-40b078b177f0","state":"PUBLISHED","assignerShortName":"Rockwell","dateReserved":"2025-06-19T17:39:11.774Z","datePublished":"2025-07-09T20:12:47.647Z","dateUpdated":"2025-07-09T20:39:10.481Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Arena®","vendor":"Rockwell Automation","versions":[{"status":"affected","version":"<=16.20.08"}]}],"datePublic":"2025-07-09T19:31:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A remote\ncode execution security issue exists in the Rockwell Automation&nbsp;Arena®.&nbsp;&nbsp;A crafted DOE\nfile can force Arena Simulation to write beyond the boundaries of an allocated\nobject. Exploitation\nrequires user interaction, such as opening a malicious file within the software.\nIf exploited, a threat actor could execute arbitrary code on the target system.\nThe software must run under the context of the administrator in order to cause\nworse case impact. This is reflected in the Rockwell CVSS score, as AT:P.</p>\n\n\n\n\n\n<br>"}],"value":"A remote\ncode execution security issue exists in the Rockwell Automation Arena®.  A crafted DOE\nfile can force Arena Simulation to write beyond the boundaries of an allocated\nobject. Exploitation\nrequires user interaction, such as opening a malicious file within the software.\nIf exploited, a threat actor could execute arbitrary code on the target system.\nThe software must run under the context of the administrator in order to cause\nworse case impact. This is reflected in the Rockwell CVSS score, as AT:P."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"LOCAL","baseScore":7.1,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"b73dd486-f505-4403-b634-40b078b177f0","shortName":"Rockwell","dateUpdated":"2025-07-09T20:12:47.647Z"},"references":[{"url":"https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1729.html"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Corrected in v16.20.09 and later.&nbsp;"}],"value":"Corrected in v16.20.09 and later."}],"source":{"advisory":"1729","discovery":"EXTERNAL"},"title":"Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-07-09T20:37:33.961481Z","id":"CVE-2025-6377","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-07-09T20:39:10.481Z"}}]}}