CVE-2024-12672 Rockwell Automation CVE debrief

Who should care

Organizations using Rockwell Automation Arena 32-bit for discrete event simulation in manufacturing, logistics, and process design; industrial control system operators; OT security teams; and asset owners following CISA ICS advisories.

Technical summary

CVE-2024-12672 is an out-of-bounds write vulnerability in Rockwell Automation Arena 32-bit simulation software, affecting versions 16.20.07 and earlier. The flaw exists in DOE (Design of Experiments) file parsing, where insufficient bounds checking allows writing beyond allocated memory boundaries. Exploitation requires a legitimate user to open a maliciously crafted DOE file, resulting in arbitrary code execution in the context of the current user. The attack vector is local (AV:L) with low attack complexity (AC:L) and requires user interaction (UI:R). This vulnerability was addressed in Arena version 16.20.09.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Rockwell Automation Arena 32-bit to version 16.20.09 or later
• Hold the Control key when loading files to prevent VBA file stream from loading
• Implement Rockwell Automation security best practices for industrial control systems
• Apply Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization
• Review CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

CISA advisory ICSA-24-345-06 (Update B) documents this as a third-party vulnerability in Arena's DOE file parsing. CVSS 3.1 score of 7.8 reflects local attack vector with user interaction required. The advisory was initially published December 10, 2024, with Update A on January 9, 2025 adding this CVE, and Update B on February 3, 2026 adding additional CVEs and updated mitigations.

Official resources