Rockwell Automation Lifecycle Services with Veeam Backup and Replication

Act NowCVSS 9.9ICS-CERT ICSA-25-091-01Apr 1, 2025

Rockwell AutomationManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A deserialization vulnerability (CWE-502) in Rockwell Automation Industrial Data Center (Generations 1–5) and VersaVirtual Appliance (Series A–C) when integrated with Veeam Backup and Replication allows an attacker with administrative privileges to execute arbitrary code on the appliance. The affected products are end-of-life; Rockwell Automation will not release patches. Customers with Infrastructure Managed Service contracts should contact Rockwell for remediation guidance. Others should apply Veeam's security updates (CVE-2025-23120).

What this means

What could happen

An attacker with administrative access to Rockwell's Industrial Data Center or VersaVirtual Appliance could execute arbitrary code on the backup and replication system, potentially compromising backup integrity, enabling data theft, or disrupting backup/recovery operations critical to plant continuity.

Who's at risk

Rockwell Automation customers using Industrial Data Center (IDC) or VersaVirtual Appliance (VVA) backup solutions with Veeam in manufacturing plants. This affects organizations that rely on these appliances to back up and recover their production systems, engineering workstations, and control system data. Any site using Generations 1–5 of IDC or Series A–C of VVA is at risk.

How it could be exploited

An attacker with administrative credentials to the backup system (IDC or VVA) authenticates to the web interface or API, submits a malicious serialized object payload (CWE-502), and achieves remote code execution on the appliance. The appliance runs Veeam backup software with elevated privileges, so code execution could extend to backup repositories or connected infrastructure.

Prerequisites

Administrative credentials to the Industrial Data Center or VersaVirtual Appliance
Network access to the management interface (web portal or API endpoint)
The affected Rockwell/Veeam appliance must be reachable from the attacker's network

High EPSS score (26.3%)Affects administrative/backup systems that support continuity of operationsNo patch available from Rockwell (end-of-life products)Requires administrative credentials (limits blast radius but common in insider/compromised-account scenarios)Low exploitation complexity

Exploitability

Likely to be exploited — EPSS score 41.3%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Industrial Data Center (IDC) with Veeam: >=Generations_1|<=Generations_5≥ Generations 1|≤ Generations 5No fix (EOL)

VersaVirtual Appliance (VVA) with Veeam: >=Series_A|<=Series_C≥ Series A|≤ Series CNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to the Industrial Data Center and VersaVirtual Appliance management interfaces to authorized engineering and IT staff only; use firewall rules to limit access by source IP address or network segment.

HARDENINGAudit and remove unnecessary administrative accounts on the backup appliance; ensure all remaining administrative users have strong, unique passwords and multi-factor authentication enabled.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Rockwell Automation with your Infrastructure Managed Service contract to receive remediation instructions specific to your Industrial Data Center or VersaVirtual Appliance generation/series.

HOTFIXIf you do not have an active Rockwell Automation Infrastructure Managed Service contract, review Veeam's security advisory CVE-2025-23120 for patch guidance and apply the recommended Veeam updates to your backup appliance.

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Industrial Data Center (IDC) with Veeam: >=Generations_1|<=Generations_5, VersaVirtual Appliance (VVA) with Veeam: >=Series_A|<=Series_C. Apply the following compensating controls:

HARDENINGIsolate the backup infrastructure from the business network and control system network using network segmentation (DMZ or separate VLAN); ensure backup traffic is encrypted and authenticated.

HARDENINGIf remote access to the backup appliance is required, enforce use of a VPN with the latest patches and strong authentication; avoid exposing the management interface directly to the Internet.

CVEs (1)

CVE-2025-23120

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/235d5fc7-579a-4256-bc77-4f3882e86212

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.