PatchSiren cyber security CVE debrief
CVE-2025-14376 Rockwell Automation CVE debrief
CVE-2025-14376 was publicly disclosed on 2026-01-20 in CISA's republished advisory for Rockwell Automation Verve Asset Manager. The issue affects the legacy ADI server component, where unencrypted sensitive data was stored in environment variables. Rockwell Automation states the issue was resolved in version 1.42, and that the component became optional beginning with version 1.36 in 2024, which means exposure is most relevant to deployments that still use that legacy path.
- Vendor
- Rockwell Automation
- Product
- Verve Asset Manager
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-20
- Original CVE updated
- 2026-01-20
- Advisory published
- 2026-01-20
- Advisory updated
- 2026-01-20
Who should care
OT/ICS administrators, Rockwell Automation Verve Asset Manager operators, and incident responders responsible for systems that may still enable the legacy ADI server component or run versions older than 1.42.
Technical summary
The supplied advisory data describes a sensitive-data exposure involving environment variables in the legacy ADI server component of Verve Asset Manager. The CVSS vector provided is AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N, indicating local access, high privileges, no user interaction, and potential high confidentiality and integrity impact. The product notes also say the component was retired and became optional starting with release 1.36 in 2024, and Rockwell Automation reports the issue was fixed in 1.42.
Defensive priority
High. Prioritize upgrading affected systems to version 1.42 or later, and verify whether the legacy ADI server component is still enabled or required in your deployment.
Recommended defensive actions
- Update Rockwell Automation Verve Asset Manager to version 1.42 or the latest available release.
- Confirm whether the legacy ADI server component is present in your environment and disable or remove it if it is not needed.
- Review any sensitive data or secrets that may have been stored in environment variables and rotate affected credentials if exposure is possible.
- Check related system configuration, access controls, and operational procedures to reduce the risk of sensitive-data exposure in the future.
- Use Rockwell Automation's security advisory page and TechConnect support if you need product-specific remediation guidance.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory record ICSA-26-020-03 for Rockwell Automation Verve Asset Manager, published and modified on 2026-01-20. The corpus states that unencrypted sensitive data was stored in environment variables within the legacy ADI server component, that the component became optional beginning with version 1.36 in 2024, and that the issue was resolved in version 1.42. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N with a score of 7.2 (HIGH). No KEV entry or ransomware-campaign use was supplied.
Official resources
-
CVE-2025-14376 CVE record
CVE.org
-
CVE-2025-14376 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed and republished by CISA on 2026-01-20 as ICSA-26-020-03.