Rockwell Automation Arena (Update B)

Plan PatchCVSS 7.8ICS-CERT ICSA-24-345-06Dec 10, 2024

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple memory corruption vulnerabilities (use-after-free, buffer overflow, out-of-bounds read, and improper input validation) exist in Rockwell Automation Arena versions 16.20.08 and earlier. These vulnerabilities can be triggered when loading specially crafted Arena model files, allowing arbitrary code execution on the host workstation.

What this means

What could happen

An attacker could execute arbitrary code on a workstation running Arena if the user opens a malicious model file, potentially compromising engineering systems and allowing modification of control logic or automation designs.

Who's at risk

Engineering teams using Rockwell Automation Arena for automation design and simulation. This impacts anyone who creates, edits, or loads Arena project files, typically automation engineers and controls integrators working on PLC programming, motion control, and process automation systems.

How it could be exploited

An attacker sends a specially crafted Arena model file to an engineer or operator. When the file is opened in Arena, memory corruption vulnerabilities (use-after-free, buffer overflow, etc.) are triggered, allowing the attacker to run arbitrary code with the privileges of the user running Arena.

Prerequisites

User interaction required: engineer or operator must open a malicious Arena model file
Arena must be installed and running on the target workstation
File must be loaded without holding Ctrl key (which blocks VBA stream loading)

Low complexity exploitationUser interaction requiredAffects engineering/design systems which control production systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

Arena: <=16.20.03≤ 16.20.0316.20.09+

Arena: <=16.20.05≤ 16.20.0516.20.09+

Arena: <=16.20.06≤ 16.20.0616.20.09+

Arena 32 bit: <=16.20.07≤ 16.20.0716.20.09+

Arena 32 bit: <=16.20.06≤ 16.20.0616.20.09+

Arena: <=16.20.08≤ 16.20.0816.20.09+

Arena: <=16.20.00≤ 16.20.0016.20.09+

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict opening of Arena model files from untrusted sources; disable or control file downloads from email and external storage

WORKAROUNDTrain users to hold Ctrl key while loading Arena model files to prevent VBA file stream execution

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Arena to version 16.20.09 or later

Long-term hardening

0/1

HARDENINGImplement application whitelisting or endpoint controls to restrict Arena execution to approved model files and locations

CVEs (10)

CVE-2024-11155 CVE-2024-11156 CVE-2024-11158 CVE-2024-12130 CVE-2024-11157 CVE-2024-12175 CVE-2024-12672 CVE-2024-11364 CVE-2025-6377 CVE-2025-6376

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b3ef917-054c-4eb4-bcc8-3f0851c77026

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.