Rockwell Automation Lifecycle Services with VMware

Act NowCVSS 9.3ICS-CERT ICSA-25-077-02Mar 18, 2025

Rockwell AutomationManufacturing

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Rockwell Automation Lifecycle Services products running on VMware infrastructure contain privilege escalation and memory corruption vulnerabilities (CWE-367, CWE-123, CWE-125) that could allow an attacker with local administrative privileges to execute arbitrary code with full system control. Affected products include Industrial Data Center, VersaVirtual Appliance, Threat Detection Managed Services, Endpoint Protection Service, and Engineered and Integrated Solutions. The vulnerabilities are not remotely exploitable. Rockwell Automation will contact impacted users with remediation guidance; users without managed service contracts should apply VMware patches from Broadcom.

What this means

What could happen

An attacker with local administrative access to a Rockwell Automation system running on VMware could execute arbitrary code and take complete control of the system, potentially disrupting manufacturing operations or allowing unauthorized changes to industrial processes.

Who's at risk

Manufacturing organizations running Rockwell Automation Lifecycle Services products (Industrial Data Center, VersaVirtual Appliance, Threat Detection Managed Services, Endpoint Protection Service, or Engineered and Integrated Solutions) deployed on VMware infrastructure. This affects production control and monitoring systems critical to manufacturing operations.

How it could be exploited

An attacker with local admin credentials or physical access to a hypervisor running one of the affected Rockwell Automation products could exploit privilege escalation or memory corruption vulnerabilities in the VMware layer to execute arbitrary code with full system privileges.

Prerequisites

Local administrative privileges on the VMware hypervisor or the virtual machine hosting an affected Rockwell product
Physical access to the system or compromised local administrator account

actively exploited (KEV)high EPSS score (52.7%)no patch availableaffects production systemslocal administrative privileges requiredlow complexity

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (5)

5 pending

ProductAffected VersionsFix Status

Industrial Data Center (IDC) with VMware: >=Generations_1|<=4≥ Generations 1|≤ 4No fix yet

VersaVirtual Appliance (VVA) with VMware: Series_A_and_BSeries A and BNo fix yet

Threat Detection Managed Services (TDMS) with VMware: vers:all/*All versionsNo fix yet

Endpoint Protection Service with RA Proxy & VMware only: vers:all/*All versionsNo fix yet

Engineered and Integrated Solutions with VMware: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXContact Rockwell Automation support to discuss remediation options for your managed services contract; for unmanaged systems, apply VMware ESXi patches as referenced in Broadcom advisories (ESXi 8.0 Update 3d, 8.0 Update 2d, or 7.0 Update 3s or later)

HARDENINGRestrict local administrative access on hypervisors and virtual machines to authorized personnel only; audit and revoke unnecessary admin accounts

HARDENINGImplement physical security controls to prevent unauthorized local access to Rockwell Automation systems and their underlying hypervisors

Long-term hardening

0/1

HARDENINGIsolate Rockwell Automation infrastructure from business networks and the internet using network segmentation and firewalls

CVEs (3)

CVE-2025-22224 CVE-2025-22225 CVE-2025-22226

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/df3bac28-cee9-44e8-95c7-733d319dc406

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.