CVE-2025-6376 Rockwell Automation CVE debrief

Who should care

Organizations using Rockwell Automation Arena for discrete event simulation in industrial environments, particularly those exchanging DOE files externally or with untrusted parties. OT security teams and engineers responsible for simulation workflow security should prioritize patching.

Technical summary

CVE-2025-6376 is an out-of-bounds write vulnerability (CWE-787) in Rockwell Automation Arena's handling of DOE (Design of Experiments) files. The vulnerability exists in versions 16.20.08 and earlier. When a user opens a maliciously crafted DOE file, the software writes beyond allocated memory boundaries, potentially enabling arbitrary code execution. The attack vector is local (AV:L) with high attack complexity (AC:H) and requires user interaction (UI:R). The vulnerability was added to CISA advisory ICSA-24-345-06 in Update B on February 3, 2026. Rockwell Automation has released version 16.20.09 as a fix.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Rockwell Automation Arena to version 16.20.09 or later to remediate this vulnerability.
• Avoid loading untrusted Arena model files, particularly DOE files from unverified sources.
• Hold the Control key when loading files to prevent VBA file stream execution as a temporary mitigation.
• Implement Rockwell Automation's security best practices for industrial control systems.
• Apply CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization.

Evidence notes

CVE published 2024-12-10; advisory modified 2026-02-03 to add CVE-2025-6376 in Update B. CVSS 3.1 score 7.0 (HIGH). Affected product: Rockwell Automation Arena <=16.20.08. CWE-787 (Out-of-bounds Write). Exploitation requires user interaction with malicious DOE file.

Official resources