CVE-2025-23120 Rockwell Automation CVE debrief

Who should care

Operators, administrators, and security teams responsible for Rockwell Automation IDC with Veeam or VersaVirtual Appliance (VVA) with Veeam should prioritize this issue, especially environments that rely on these systems for backup or infrastructure management. Managed service customers should also coordinate directly with Rockwell Automation for remediation steps.

Technical summary

The supplied advisory describes a remote code execution flaw in Veeam Backup and Replication used by the affected Rockwell products. The provided CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network reachability, low attack complexity, low privileges required, no user interaction, and high potential impact across confidentiality, integrity, and availability. The source corpus does not provide exploit mechanics, and no additional technical preconditions should be assumed beyond the published advisory details.

Defensive priority

Urgent. The advisory is rated Critical (CVSS 9.9), and the impact described is full code execution on affected systems. Organizations should treat this as a high-priority patching and vendor-coordination item for exposed or operationally important deployments.

Recommended defensive actions

• Confirm whether any deployed systems match the affected Rockwell Automation product ranges: IDC with Veeam generations 1-5 or VVA with Veeam series A-C.
• If you have an active Rockwell Automation Infrastructure Managed Service contract, engage Rockwell Automation immediately for remediation coordination.
• If you do not have Rockwell-managed services, follow the linked Veeam advisory and support content for CVE-2025-23120.
• Apply vendor-provided corrective updates or mitigations as soon as feasible.
• If immediate upgrading is not possible, follow the Rockwell guidance on security best practices and reduce exposure where possible.
• Review adjacent CISA and vendor security advisories for any additional operational instructions or dependencies.
• Document affected assets and verify remediation completion across all environments that use the vulnerable component.

Evidence notes

Evidence comes from the CISA CSAF advisory ICSA-25-091-01 published 2025-04-01 and the embedded Rockwell remediation references. The advisory explicitly states that a remote code execution vulnerability exists in Veeam Backup and Replication, which the affected Rockwell products use, and that exploitation can allow code execution on the target system. The advisory identifies two affected product families: Rockwell Automation Industrial Data Center (IDC) with Veeam and VersaVirtual Appliance (VVA) with Veeam. The supplied CVSS v3.1 vector is 9.9/Critical (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). No KEV listing is present in the supplied data.

Official resources