Rockwell Automation Arena (Update B)

Plan Patch7.8ICS-CERT ICSA-24-345-06Dec 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Rockwell Automation Arena versions 16.20.00 through 16.20.08 contain multiple memory corruption and resource access vulnerabilities (CWE-416, CWE-787, CWE-665, CWE-125, CWE-1395) that allow arbitrary code execution when a user opens a malicious Arena model file. The vulnerabilities are triggered automatically when the Arena file is loaded, executing embedded VBA code with user privileges. No patch is currently available for versions 16.20.06, 16.20.07, and 16.20.08. Rockwell recommends upgrading to V16.20.09 or later. As immediate mitigations, users should avoid loading untrusted model files and can hold the Control key during file loading to prevent VBA stream execution.

What this means

What could happen

An attacker could execute arbitrary code on a workstation running Arena by convincing a user to open a malicious Arena model file. This could compromise engineering workstations and potentially allow modification of PLC/controller logic before deployment to production systems.

Who's at risk

Engineering teams and industrial automation professionals using Rockwell Automation Arena for PLC programming and control system design. This affects anyone who receives or loads Arena model files, particularly operators at utility companies (water, electric) with Rockwell-based control systems. The risk is highest for staff who receive model files from external sources or contractors.

How it could be exploited

An attacker creates a malicious Arena model file containing embedded VBA code and tricks a user into opening it. When the file is loaded in Arena, the VBA stream executes automatically, running arbitrary code with the privileges of the user account. The attacker could then steal credentials, install backdoors, or modify PLC programs for later deployment.

Prerequisites

User must open a malicious Arena model file (social engineering required)
User account running Arena must have write access to target PLC/controller or network shares

Requires user interaction (file open)Low complexity attackAffects engineering workstations that connect to production controllersNo patch available for affected versionsVBA execution is enabled by default

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

Arena: <=16.20.03≤ 16.20.0316.20.09 or later

Arena: <=16.20.05≤ 16.20.0516.20.09 or later

Arena: <=16.20.06≤ 16.20.0616.20.09 or later

Arena 32 bit: <=16.20.07≤ 16.20.0716.20.09 or later

Arena 32 bit: <=16.20.06≤ 16.20.0616.20.09 or later

Arena: <=16.20.08≤ 16.20.0816.20.09 or later

Arena: <=16.20.00≤ 16.20.0016.20.09 or later

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDo not open or load Arena model files from untrusted sources (external emails, downloads, third-party websites)

WORKAROUNDHold Control key while loading Arena files to prevent automatic VBA stream execution

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Arena to version 16.20.09 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate engineering workstations from production control networks

HARDENINGEnforce principle of least privilege on engineering accounts and restrict PLC programming authority

CVEs (10)

CVE-2024-11155 CVE-2024-11156 CVE-2024-11158 CVE-2024-12130 CVE-2024-11157 CVE-2024-12175 CVE-2024-12672 CVE-2024-11364 CVE-2025-6377 CVE-2025-6376

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b3ef917-054c-4eb4-bcc8-3f0851c77026