PatchSiren cyber security CVE debrief
CVE-2025-14377 Rockwell Automation CVE debrief
CVE-2025-14377 is a high-severity information exposure issue in Rockwell Automation Verve Asset Manager’s legacy Ansible playbook component. According to the CISA republication of the vendor advisory, sensitive information could be incorrectly stored in unencrypted form during playbook execution. Rockwell Automation states the issue was resolved in version 1.42, and that the legacy component became optional starting with version 1.36 in 2024.
- Vendor
- Rockwell Automation
- Product
- Verve Asset Manager
- CVSS
- HIGH 7.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-20
- Original CVE updated
- 2026-01-20
- Advisory published
- 2026-01-20
- Advisory updated
- 2026-01-20
Who should care
Administrators, engineers, and security teams responsible for Rockwell Automation Verve Asset Manager deployments, especially environments that still use or have enabled the legacy Ansible playbook component.
Technical summary
The advisory describes a flaw in the legacy Ansible playbook component of Verve Asset Manager where sensitive data could be written to storage without encryption during playbook execution. The supplied CVSS vector indicates a high-severity issue with high privileges required and no user interaction. The vendor notes the component was retired and became optional in 1.36, and that the issue was resolved in 1.42.
Defensive priority
High for any deployment that still uses the legacy playbook component; lower if the component is not installed or not enabled, but the environment should still be verified and updated to a fixed release.
Recommended defensive actions
- Update Rockwell Automation Verve Asset Manager to version 1.42 or the latest available release.
- Determine whether the legacy Ansible playbook component is installed or enabled, and remove or disable it if it is not required.
- Review playbook execution workflows to confirm sensitive information is not written in unencrypted form.
- If sensitive data may have been exposed, assess the affected systems and follow your organization’s incident response and credential-management procedures.
- Consult Rockwell Automation’s security advisory page or TechConnect for vendor-specific guidance.
Evidence notes
The source corpus identifies this as a CISA republication of Rockwell Automation’s advisory (ICSA-26-020-03) published on 2026-01-20. The issue is described as an unencrypted storage problem in the legacy Ansible playbook component of Verve Asset Manager. The corpus also states that the component became optional starting with version 1.36 in 2024 and that the issue was resolved in version 1.42. CVSS is provided as 7.9 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L.
Official resources
-
CVE-2025-14377 CVE record
CVE.org
-
CVE-2025-14377 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2026-01-20 through CISA’s republication of Rockwell Automation’s security advisory as ICSA-26-020-03.