PatchSiren cyber security CVE debrief
CVE-2024-12175 Rockwell Automation CVE debrief
A use-after-free vulnerability in Rockwell Automation Arena simulation software enables arbitrary code execution when a user opens a maliciously crafted DOE file. The flaw stems from improper memory management where freed resources are reused, allowing an attacker to hijack execution flow. Exploitation requires local access and user interaction—specifically, a legitimate user must execute the crafted file. The vulnerability carries a HIGH severity CVSS 3.1 score of 7.8, reflecting significant confidentiality, integrity, and availability impacts once the social engineering barrier is crossed. Rockwell Automation has addressed this in version 16.20.09 and later.
- Vendor
- Rockwell Automation
- Product
- Arena
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2026-02-03
- Advisory published
- 2024-12-10
- Advisory updated
- 2026-02-03
Who should care
Engineering teams using Rockwell Automation Arena for discrete event simulation in manufacturing, logistics, and process design. OT security teams responsible for protecting engineering workstations. Asset owners in critical infrastructure sectors where Arena models are shared across organizational boundaries. Procurement and vendor management teams evaluating software supply chain risks for industrial software.
Technical summary
The vulnerability exists in Arena's handling of DOE (Discrete Event Optimization) files, where a use-after-free condition allows attackers to corrupt heap memory and achieve code execution. The attack vector is local (AV:L) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). Successful exploitation yields high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) confirms consistent scoring. No network attack vector or privilege escalation is required post-exploitation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Rockwell Automation Arena version 16.20.09 or later to remediate this vulnerability.
- Avoid loading untrusted Arena model files from unverified sources.
- Hold the Control key when opening files to prevent automatic VBA file stream loading.
- Implement Rockwell Automation's published security best practices for industrial control systems.
- Apply CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) framework for environment-specific prioritization.
Evidence notes
CVE published 2024-12-10; advisory updated 2025-01-09 (Update A) and 2026-02-03 (Update B). CWE-416 (Use After Free) classification confirmed via source references. Affected product: Rockwell Automation Arena ≤16.20.06.
Official resources
-
CVE-2024-12175 CVE record
CVE.org
-
CVE-2024-12175 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-10