CVE-2025-7353 (GCVE-0-2025-7353)

Vulnerability from cvelistv5 – Published: 2025-08-14 13:23 – Updated: 2025-08-15 03:55
VLAI?
Title
Rockwell Automation ControlLogix® Ethernet Remote Code Execution Vulnerability
Summary
A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow.
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-1188 - Initialization of a Resource with an Insecure Default
Assigner
References
Impacted products
Vendor Product Version
Rockwell Automation 1756-EN2T/D Affected: Version 11.004 or below
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-7353",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-15T03:55:58.371Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "1756-EN2T/D",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "Version 11.004 or below"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "1756-EN2F/C",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "Version 11.004 or below"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "1756-EN2TR/C",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "Version 11.004 or below"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "1756-EN3TR/B",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "Version 11.004 or below"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "1756-EN2TP/A",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "Version 11.004 or below"
            }
          ]
        }
      ],
      "datePublic": "2025-08-14T13:11:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix\u00ae Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow. \u0026nbsp;\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix\u00ae Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188: Initialization of a Resource with an Insecure Default",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-14T13:49:37.413Z",
        "orgId": "b73dd486-f505-4403-b634-40b078b177f0",
        "shortName": "Rockwell"
      },
      "references": [
        {
          "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1732.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e12.001 and later\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "12.001 and later"
        }
      ],
      "source": {
        "advisory": "SD1732",
        "discovery": "INTERNAL"
      },
      "title": "Rockwell Automation ControlLogix\u00ae Ethernet Remote Code Execution Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
    "assignerShortName": "Rockwell",
    "cveId": "CVE-2025-7353",
    "datePublished": "2025-08-14T13:23:26.940Z",
    "dateReserved": "2025-07-08T12:24:08.365Z",
    "dateUpdated": "2025-08-15T03:55:58.371Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-7353\",\"sourceIdentifier\":\"PSIRT@rockwellautomation.com\",\"published\":\"2025-08-14T14:15:35.137\",\"lastModified\":\"2025-08-15T13:13:07.817\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix\u00ae Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow.\"},{\"lang\":\"es\",\"value\":\"Existe un problema de seguridad debido al agente de depuraci\u00f3n web habilitado en los m\u00f3dulos Ethernet ControlLogix\u00ae de Rockwell Automation. Si se utiliza una direcci\u00f3n IP espec\u00edfica para conectarse al agente WDB, puede permitir que atacantes remotos realicen volcados de memoria, modifiquen la memoria y controlen el flujo de ejecuci\u00f3n.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"PSIRT@rockwellautomation.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"PSIRT@rockwellautomation.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1188\"}]}],\"references\":[{\"url\":\"https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1732.html\",\"source\":\"PSIRT@rockwellautomation.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-7353\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-14T13:33:16.555695Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-14T13:33:51.359Z\"}}], \"cna\": {\"title\": \"Rockwell Automation ControlLogix\\u00ae Ethernet Remote Code Execution Vulnerability\", \"source\": {\"advisory\": \"SD1732\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Rockwell Automation\", \"product\": \"1756-EN2T/D\", \"versions\": [{\"status\": \"affected\", \"version\": \"Version 11.004 or below\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Rockwell Automation\", \"product\": \"1756-EN2F/C\", \"versions\": [{\"status\": \"affected\", \"version\": \"Version 11.004 or below\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Rockwell Automation\", \"product\": \"1756-EN2TR/C\", \"versions\": [{\"status\": \"affected\", \"version\": \"Version 11.004 or below\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Rockwell Automation\", \"product\": \"1756-EN3TR/B\", \"versions\": [{\"status\": \"affected\", \"version\": \"Version 11.004 or below\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Rockwell Automation\", \"product\": \"1756-EN2TP/A\", \"versions\": [{\"status\": \"affected\", \"version\": \"Version 11.004 or below\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"12.001 and later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e12.001 and later\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-08-14T13:11:00.000Z\", \"references\": [{\"url\": \"https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1732.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix\\u00ae Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix\\u00ae Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow. \u0026nbsp;\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1188\", \"description\": \"CWE-1188: Initialization of a Resource with an Insecure Default\"}]}], \"providerMetadata\": {\"orgId\": \"b73dd486-f505-4403-b634-40b078b177f0\", \"shortName\": \"Rockwell\", \"dateUpdated\": \"2025-08-14T13:49:37.413Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-7353\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-15T03:55:58.371Z\", \"dateReserved\": \"2025-07-08T12:24:08.365Z\", \"assignerOrgId\": \"b73dd486-f505-4403-b634-40b078b177f0\", \"datePublished\": \"2025-08-14T13:23:26.940Z\", \"assignerShortName\": \"Rockwell\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.