CVE-2025-3287 Rockwell Automation CVE debrief

Who should care

OT/ICS security teams, engineering workstation administrators, and organizations running Rockwell Automation Arena, especially where users open DOE files on shared or production-adjacent systems.

Technical summary

The advisory describes a local vulnerability in Rockwell Automation Arena caused by improper validation of user-supplied data, resulting in an out-of-bounds read from an allocated memory buffer. Exploitation requires a legitimate user to open a malicious DOE file. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting a local attack that requires user interaction but can affect confidentiality, integrity, and availability. Affected product scope in the source advisory is Rockwell Automation Arena <=16.20.08, with remediation available in V16.20.09 or later.

Defensive priority

High — prioritize systems that run Arena and regularly process DOE files, especially engineering workstations and OT-connected endpoints.

Recommended defensive actions

• Upgrade Rockwell Automation Arena to V16.20.09 or later.
• Review and restrict who can open DOE files on engineering workstations and related OT systems.
• Apply CISA and Rockwell Automation industrial control system security best practices to reduce exposure and limit impact.
• Monitor for unexpected DOE file activity and investigate any suspicious file sources before opening them.
• Validate that affected versions <=16.20.08 are inventoried so patching can be completed quickly.

Evidence notes

Primary source is CISA advisory ICSA-25-100-07, published 2025-04-10 and revised 2025-05-06 with revision history noting typos-only fixes. The supplied CSAF data lists Rockwell Automation Arena <=16.20.08 as affected and recommends upgrading to V16.20.09 or later. The provided data also marks the issue as not KEV-listed.

Official resources