1. EXECUTIVE SUMMARY
- CVSS v4 9.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: 1783-NATR
- Vulnerabilities: Missing Authentication for Critical Function, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Cross-Site Request Forgery (CSRF)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in a denial-of-service, data modification, or in an attacker obtaining sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of 1783-NATR are affected:
- 1783-NATR: All versions prior to 1.006
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore.
CVE-2025-7328 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-7328. A base score of 9.9 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories