Last week, a CISA advisory was issued for vulnerabilities present in Rockwell Automation EDS Subsystem versions 28.0.1 and prior, which were discovered by Claroty VP of Research Amir Preminger and Principal Vulnerability Researcher Sharon Brizinov.
Affected Rockwell Automation products include FactoryTalk Linx software versions 6.00, 6.10, and 6.11; RSLinx Classic 4.11.00 and prior; RSNetWorx versions 28.00.00 and prior; and Studio 5000 Logix Designer version 32 and prior. While not known to have been weaponized in the wild, successful exploitation of these vulnerabilities could lead to an arbitrary file write and/or denial-of-service condition.
The discovered vulnerabilities involve a flaw in how the EDS Subsystem parses and stores the content of EDS files. As part of Claroty's ongoing white-hat OT security research, Preminger and Brizinov were able to create a malicious EDS file that writes a Windows batch file onto an arbitrary path (which may include the startup directory) when parsed by Rockwell Automation software. Preminger and Brizinov then presented the malicious EDS file to the EDS Subsystem by emulating an in-network device—an attack strategy sometimes known as a reverse honeypot. Upon restart, the malicious code was executed on the targeted devices.
EDS files are simple text files used by network configuration tools to help identify products and easily commission them on a network. When Rockwell Automation software (e.g. RSLinx) connects to a new type of device, it will read and parse the device's EDS to determine the type of the device and other properties, thus allowing the software to communicate appropriately with the device.
The discovered vulnerabilities can be exploited remotely, but only from within the local network. By connecting their own device or emulating a device via Python to the shop-floor network and successfully impersonating a new, in-network device, an adversary could present a malicious EDS file to discovery software within a targeted network.
In this case, Rockwell Automation's network discovery tools could encounter an attacker's fake device and ask for its malicious EDS file. Upon reading and parsing the EDS file, the vulnerability will be triggered, and a new file will be written to the disk of Rockwell Automation engineering workstations or HMIs. In doing so, the attack would expand their foothold within the victim's network to Rockwell Automation equipment.
The following CVEs were assigned for the vulnerabilities in Rockwell Automation EDS Subsystem recently discovered by Preminger and Brizinov:
Improper restriction of operations within the bounds of a memory buffer (CVE-2020-12038): A memory corruption vulnerability in the algorithm that matches square brackets in the EDS subsystem may allow an attacker to craft specialized EDS files to crash the EDSParser COM object, leading to denial-of-service conditions.
Improper neutralization of special elements in an SQL command — 'SQL Injection' (CVE-2020-12034): Since the EDS subsystem does not provide adequate input sanitization, an attacker may be allowed to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. As a result, the attacker may be able to carry out a denial-of-service attack or manipulate the SQL engine to write or modify files on the system.
These vulnerabilities underscore why it's essential for security teams to be able to monitor OT networks and identify new devices and other potential threats in real time, thus preventing the abuse of automated discovery features that so many vendors offer.
In terms of mitigating these specific vulnerabilities, Rockwell Automation recommends applying the available patch by following the instructions in knowledge base article RAid 1125928 (login required). As a network-based vulnerability mitigation, users are recommended to block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.
In addition, CISA recommends two other general recommendations:
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as VPNs updated to the most current version available. However, keep in mind that a VPN is only as secure as the devices it's connected to.
To learn more about how Claroty can help your team discover and mitigate vulnerabilities within your OT environment, request a demo.
CWE-284 IMPROPER ACCESS CONTROL
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of PHP modules.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 7.5
CWE-35 PATH TRAVERSAL:
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in PHP resulting in a remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-434 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-98 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM ('PHP REMOTE FILE INCLUSION')
An unauthenticated remote attacker can execute arbitrary PHP files and gain full access of the affected devices.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
CWE-305 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
