Rockwell Automation Lifecycle Services with VMware

Act Now9.3ICS-CERT ICSA-25-077-02Mar 18, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation products running on VMware ESXi contain multiple memory corruption vulnerabilities (race conditions and out-of-bounds memory access). These affect Industrial Data Center (Generations 1-4), VersaVirtual Appliance (Series A and B), Threat Detection Managed Services, Endpoint Protection Service with RA Proxy, and Engineered and Integrated Solutions—all versions when hosted on vulnerable VMware versions. Exploitation requires local administrative privileges on the hypervisor but could lead to code execution and compromise of all hosted services and virtual machines. Rockwell Automation states it will contact impacted users; non-contracted users should address the underlying VMware vulnerabilities by upgrading ESXi to patched versions (7.0U3s, 8.0U2d, or 8.0U3d).

What this means

What could happen

An attacker with local administrative access to Rockwell Automation industrial cloud services running on VMware could execute arbitrary code and potentially gain full control of the virtualized infrastructure hosting your process management systems, data, and remote services.

Who's at risk

Manufacturing facilities using Rockwell Automation's industrial cloud services (Industrial Data Center, VersaVirtual Appliance, Threat Detection Managed Services, Endpoint Protection Service, or Engineered and Integrated Solutions) that are hosted on VMware ESXi infrastructure. This affects organizations relying on these services for process monitoring, data management, threat detection, and endpoint security in their industrial operations.

How it could be exploited

An attacker must first gain local administrative privileges on the VMware hypervisor or host system running the affected Rockwell Automation services. Once they have local admin access, they can exploit race conditions (CWE-367), out-of-bounds writes (CWE-123), or out-of-bounds reads (CWE-125) to execute code at the hypervisor level, potentially affecting all virtual machines and services hosted on that infrastructure.

Prerequisites

Local administrative privileges on the VMware ESXi host or hypervisor
Physical or remote console access to the host system
Rockwell Automation services hosted on affected VMware versions (ESXi 7.0 or 8.0 prior to patch levels 7.0U3s or 8.0U2d/8.0U3d)

Actively exploited (KEV)No patch available from Rockwell AutomationCritical severity (CVSS 9.3)High exploitation probability (EPSS 52.7%)Local access only but within OT management infrastructureAffects virtualized control system services

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (5)

5 pending

ProductAffected VersionsFix Status

Industrial Data Center (IDC) with VMware: >=Generations_1|<=4≥ Generations 1|≤ 4No fix yet

VersaVirtual Appliance (VVA) with VMware: Series_A_and_BSeries A and BNo fix yet

Threat Detection Managed Services (TDMS) with VMware: vers:all/*All versionsNo fix yet

Endpoint Protection Service with RA Proxy & VMware only: vers:all/*All versionsNo fix yet

Engineered and Integrated Solutions with VMware: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/3

HOTFIXContact Rockwell Automation to discuss remediation actions through your managed services contract

HOTFIXFor non-contracted users, upgrade VMware ESXi to patched versions (ESXi 7.0U3s, 8.0U2d, or 8.0U3d or later) to address the underlying VMware vulnerabilities

HARDENINGRestrict local administrative access to the VMware hypervisor hosts—limit who can log in with admin credentials and audit all administrative activity

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement VPN for any required remote access to hypervisor management interfaces, and keep VPN software updated

Long-term hardening

0/2

HARDENINGIsolate Rockwell Automation virtual machines and services from business networks and the Internet using network segmentation

HARDENINGMonitor for suspicious local activity on hypervisor hosts and implement intrusion detection on management networks

CVEs (3)

CVE-2025-22224 CVE-2025-22225 CVE-2025-22226

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/df3bac28-cee9-44e8-95c7-733d319dc406