PatchSiren cyber security CVE debrief
CVE-2024-11155 Rockwell Automation CVE debrief
A use-after-free vulnerability in Rockwell Automation Arena simulation software allows arbitrary code execution when a user opens a maliciously crafted DOE file. The flaw exists in Arena versions 16.20.00 and earlier. An attacker can exploit this by crafting a DOE file that forces the software to reuse a freed resource, leading to code execution in the context of the legitimate user who opens the file. This vulnerability requires user interaction—specifically, a legitimate user must execute the malicious code. Rockwell Automation released version 16.20.09 to address this issue. The vulnerability was initially disclosed on December 10, 2024, with subsequent advisory updates in January 2025 and February 2026 adding related CVEs and updated mitigations.
- Vendor
- Rockwell Automation
- Product
- Arena
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2026-02-03
- Advisory published
- 2024-12-10
- Advisory updated
- 2026-02-03
Who should care
Organizations using Rockwell Automation Arena for discrete event simulation, particularly in industrial control system environments. Security teams responsible for OT/ICS asset management, engineers and analysts who exchange Arena model files, and organizations with supply chain dependencies on Arena-based simulation workflows.
Technical summary
The vulnerability is a use-after-free (CWE-416) code execution flaw in Rockwell Automation Arena discrete event simulation software. The affected versions are 16.20.00 and earlier. Attackers can craft malicious DOE (Arena model) files that manipulate memory management to execute arbitrary code when opened by a legitimate user. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. The vulnerability does not appear in CISA's Known Exploited Vulnerabilities catalog as of the source data timestamp.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Rockwell Automation Arena version 16.20.09 or later.
- Do not load untrusted Arena model files.
- Hold the control key when loading files to prevent VBA file stream from loading.
- Implement Rockwell Automation security best practices for industrial control systems.
- Apply Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization.
Evidence notes
Vulnerability disclosed via CISA ICS advisory ICSA-24-345-06 on December 10, 2024. Advisory updated January 9, 2025 (Update A) to add CVE-2024-11157, CVE-2024-12175, CVE-2024-12672, and CVE-2024-11364. Advisory updated February 3, 2026 (Update B) to add CVE-2025-6376, CVE-2025-6377, and update affected products and mitigations.
Official resources
-
CVE-2024-11155 CVE record
CVE.org
-
CVE-2024-11155 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-10