Rockwell Automation Lifecycle Services with VMware
Plan Patch9.3ICS-CERT ICSA-25-212-02Jul 31, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Vulnerabilities in Rockwell Automation products running on VMware hypervisors (IDC Generations 1–4, VersaVirtual Appliance Series A/B, Threat Detection Managed Services, Endpoint Protection Service, Engineered and Integrated Solutions) allow code execution or memory leakage through vSocket mechanisms. These are local-only vulnerabilities affecting the hypervisor host; remote exploitation is not possible. Rockwell will contact managed service customers with remediation guidance. Unmanaged customers should apply Broadcom VMware patches (vSphere ESXi 8.0u3f, 8.0u2e, or 7.0u3w) and implement network controls to restrict local access.
What this means
What could happen
An attacker with local access to a host running Rockwell Automation's VMware-integrated products could execute arbitrary code or leak sensitive data from running processes. This could lead to control of the virtualization layer and any industrial applications running on it.
Who's at risk
Manufacturing facilities using Rockwell Automation Industrial Data Center, VersaVirtual Appliance, Threat Detection Managed Services, Endpoint Protection Service, or Engineered and Integrated Solutions platforms that rely on VMware hypervisors. This impacts any operator who virtualizes industrial control systems or data processing on these platforms.
How it could be exploited
An attacker must have local access to the hypervisor host (physical console or virtual machine shell access). They can then exploit vSocket vulnerabilities to execute code with hypervisor privileges or read memory from other processes on the host, including any industrial applications running in virtual machines.
Prerequisites
- Local access to the hypervisor host (physical or virtual machine shell)
- Host running affected Rockwell Automation product with VMware
- vSocket communication capability between VMs or host and guest
No patch available from Rockwell AutomationHigh CVSS score (9.3)Affects virtualization layer hosting control systemsLocal access only (limited attack surface)Requires specific vSocket configuration
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
Industrial Data Center (IDC) with VMware: >=Generations_1|<=4≥ Generations 1|≤ 4No fix (EOL)
VersaVirtual Appliance (VVA) with VMware Series: A and BA|BNo fix (EOL)
Engineered and Integrated Solutions with VMware: vers:all/*All versionsNo fix (EOL)
Threat Detection Managed Services (TDMS) with VMware: vers:all/*All versionsNo fix (EOL)
Endpoint Protection Service with Rockwell Automation Proxy & VMware only: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDContact Rockwell Automation if you have an active Infrastructure Managed Service or Threat Detection Managed Service contract for remediation guidance
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXIf unmanaged, apply latest Broadcom VMware patches: vSphere ESXi 8.0u3f, 8.0u2e, or 7.0u3w
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Industrial Data Center (IDC) with VMware: >=Generations_1|<=4, VersaVirtual Appliance (VVA) with VMware Series: A and B, Engineered and Integrated Solutions with VMware: vers:all/*, Threat Detection Managed Services (TDMS) with VMware: vers:all/*, Endpoint Protection Service with Rockwell Automation Proxy & VMware only: vers:all/*. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict physical and console access to hypervisor hosts
HARDENINGDisable or restrict vSocket communication between virtual machines if not required for operations
HARDENINGEnsure proper access controls on hypervisor management interfaces and console access
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dab6c567-5afa-4e02-a9fd-fe39f1c5403d