Rockwell Automation Lifecycle Services with VMware

Plan PatchCVSS 9.3ICS-CERT ICSA-25-212-02Jul 16, 2025

Rockwell AutomationManufacturing

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vulnerabilities in Rockwell Automation Lifecycle Services and related products running on VMware infrastructure (including Industrial Data Center, VersaVirtual Appliance, Engineered and Integrated Solutions, Threat Detection Managed Services, and Endpoint Protection Service) allow local code execution or memory leakage through buffer overflow and memory handling issues in vSocket communication. Successful exploitation requires local access to the VMware host and could allow an attacker to run code with elevated privileges or extract sensitive data from memory. All versions of these products are affected. VMware vSphere is the underlying cause; Broadcom has released patches for ESXi 8.0u3f, 8.0u2e, and 7.0u3w.

What this means

What could happen

An attacker with local access to a host running affected Rockwell Automation services on VMware infrastructure could execute arbitrary code on that host or steal sensitive data from memory, potentially compromising your entire virtualized control system environment.

Who's at risk

Manufacturing plants and facilities using Rockwell Automation Lifecycle Services, Industrial Data Center, VersaVirtual Appliance, or any Engineered and Integrated Solutions deployed on VMware infrastructure. This includes environments using Threat Detection Managed Services or Endpoint Protection Service with Rockwell Automation Proxy. Vulnerability only affects your systems if this software is running virtualized on VMware hosts.

How it could be exploited

An attacker must first gain local access to the host machine running Rockwell Automation Lifecycle Services or related services on VMware (for example, physical console access, SSH, or RDP if the host is exposed). Once local, the attacker exploits vSocket buffer overflow or memory leakage vulnerabilities to either run commands with elevated privilege or read memory from processes, giving them access to sensitive configuration or credentials used by your control systems.

Prerequisites

Local user access to the VMware host running Rockwell Automation services (console, SSH, RDP, or other local shell)
The affected Rockwell Automation service or VMware vSocket communication path must be active

no patch availablelocal exploitation only (not remotely exploitable)low CVSS complexityaffects virtualization infrastructure hosting control systemsmemory disclosure risk

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

Lifecycle Services withAll versionsNo fix (EOL)

Industrial Data Center (IDC) with VMware: >=Generations_1|<=4≥ Generations 1|≤ 4No fix (EOL)

VersaVirtual Appliance (VVA) with VMware Series: A and BA|BNo fix (EOL)

Engineered and Integrated Solutions with VMware: vers:all/*All versionsNo fix (EOL)

Threat Detection Managed Services (TDMS) with VMware: vers:all/*All versionsNo fix (EOL)

Endpoint Protection Service with Rockwell Automation Proxy & VMware only: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXContact Rockwell Automation immediately if you have an active Infrastructure Managed Service or Threat Detection Managed Service contract to obtain remediation guidance and any available patches

HARDENINGRestrict local and remote access to VMware hosts running Rockwell Automation services; require multi-factor authentication for any SSH, console, or remote management sessions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf you do not have a Rockwell managed service contract, refer to Broadcom VMware security advisories and update VMware ESXi to versions 8.0u3f, 8.0u2e, or 7.0u3w or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Lifecycle Services with, Industrial Data Center (IDC) with VMware: >=Generations_1|<=4, VersaVirtual Appliance (VVA) with VMware Series: A and B, Engineered and Integrated Solutions with VMware: vers:all/*, Threat Detection Managed Services (TDMS) with VMware: vers:all/*, Endpoint Protection Service with Rockwell Automation Proxy & VMware only: vers:all/*. Apply the following compensating controls:

HARDENINGIsolate the network containing your Rockwell Automation Lifecycle Services and virtualized control systems from your business network and the Internet

CVEs (4)

CVE-2025-41236 CVE-2025-41237 CVE-2025-41238 CVE-2025-41239

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dab6c567-5afa-4e02-a9fd-fe39f1c5403d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.