Rockwell Automation Lifecycle Services with Veeam Backup and Replication
Act Now9.9ICS-CERT ICSA-25-091-01Apr 1, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A deserialization vulnerability (CWE-502) in Veeam Backup & Replication integrated with Rockwell Automation appliances allows an attacker with administrative privileges to execute code on the target system. Rockwell Automation Industrial Data Center (Generations 1–5) and VersaVirtual Appliance (Series A–C) are affected. Users with active Rockwell managed service contracts will be contacted by Rockwell for remediation. Users managing their own infrastructure should refer to Veeam's advisory for CVE-2025-23120. No public exploitation has been reported as of the advisory date.
What this means
What could happen
An attacker with administrative access to a Rockwell Automation Industrial Data Center or VersaVirtual Appliance could execute arbitrary code on the backup/replication infrastructure, potentially compromising critical manufacturing data and disrupting backup/recovery capabilities.
Who's at risk
Manufacturing organizations using Rockwell Automation Industrial Data Center (Generations 1–5) or VersaVirtual Appliance (Series A–C) with integrated Veeam Backup & Replication. This affects backup and disaster recovery infrastructure that protects manufacturing control systems, HMI platforms, and production scheduling systems.
How it could be exploited
An attacker with valid administrative credentials gains network access to the affected Rockwell/Veeam system. They exploit CWE-502 deserialization vulnerability in Veeam Backup & Replication to run code on the appliance. This could allow them to access sensitive industrial data, modify backup configurations, or sabotage recovery systems.
Prerequisites
- Valid administrative credentials for the Industrial Data Center or VersaVirtual Appliance
- Network access to the affected Veeam Backup & Replication management interface
- Veeam Backup & Replication service running with vulnerable code loaded
Remotely exploitable over the networkRequires valid administrative credentialsHigh EPSS score (26.3%)No patch available from Rockwell—requires Veeam remediationCould compromise backup/recovery systems critical to manufacturing continuityAffects infrastructure that protects safety-related systems
Exploitability
High exploit probability (EPSS 26.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Industrial Data Center (IDC) with Veeam: >=Generations_1|<=Generations_5≥ Generations 1|≤ Generations 5No fix (EOL)
VersaVirtual Appliance (VVA) with Veeam: >=Series_A|<=Series_C≥ Series A|≤ Series CNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDRestrict network access to the Industrial Data Center and VersaVirtual Appliance management interfaces to authorized engineering and administrative networks only
HARDENINGRequire strong, unique administrative credentials and enforce multi-factor authentication for appliance access
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXContact Rockwell Automation to discuss remediation if you have an active Infrastructure Managed Service contract—Rockwell will reach out to impacted customers
HOTFIXReview and apply Veeam's security advisory for CVE-2025-23120 if you manage your own Veeam infrastructure without Rockwell support
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Industrial Data Center (IDC) with Veeam: >=Generations_1|<=Generations_5, VersaVirtual Appliance (VVA) with Veeam: >=Series_A|<=Series_C. Apply the following compensating controls:
HARDENINGPlace backup infrastructure behind a firewall and isolate from the general corporate network
HARDENINGImplement network segmentation to prevent lateral movement from compromised backup systems to critical manufacturing systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/235d5fc7-579a-4256-bc77-4f3882e86212