1. EXECUTIVE SUMMARY
- CVSS v4 7.0
- ATTENTION: Low attack complexity
- Vendor: Rockwell Automation
- Equipment: CompactLogix® 5480
- Vulnerability: Missing Authentication for Critical Function
2. RISK EVALUATION
Successful exploitation of this vulnerability could result in arbitrary code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of CompactLogix® 5480 is affected:
- CompactLogix® 5480: Version 32-37.011 with Windows package (2.1.0) Win10 v1607
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
A code execution vulnerability exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload which could result in arbitrary code execution.
CVE-2025-9160 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-9160. A base score of 7.0 has been calculated; the CVSS vector string is (AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: