Rockwell Automation Studio 5000 Logix Designer

Plan PatchCVSS 7.5ICS-CERT ICSA-25-226-29Aug 14, 2025

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Studio 5000 Logix Designer versions 36.00.02 through 37.00.02 contain a vulnerability that could allow an attacker with local access to crash the application or execute malicious code. The attack requires local access to an engineering workstation and user interaction. No public exploitation has been reported, and this vulnerability cannot be exploited remotely.

What this means

What could happen

An attacker with local access to a engineering workstation running Studio 5000 Logix Designer could execute malicious code or crash the application, potentially disrupting control logic development and deployment to PLCs that manage critical plant operations.

Who's at risk

This vulnerability affects Rockwell Automation engineering teams and anyone responsible for developing and deploying control logic to PLCs and other control devices. Organizations in water/wastewater treatment, power generation, manufacturing, and other sectors using Rockwell's Studio 5000 Logix Designer for automation engineering should assess their exposure.

How it could be exploited

An attacker must first gain local access to an engineering workstation where Studio 5000 Logix Designer is installed. They must then persuade a user with engineering privileges to perform an action (such as opening a malicious file or project) to trigger the vulnerability. Once exploited, the attacker could run code with the privileges of the engineering user, potentially allowing them to inject malicious logic into control programs before they are deployed to field devices.

Prerequisites

Local access to the engineering workstation running affected versions of Studio 5000 Logix Designer
User with engineering privileges must be tricked into performing an action that triggers the vulnerability (opening a file, importing a project, etc.)
Studio 5000 Logix Designer version 36.00.02 or later but earlier than 37.00.02

Requires local access to engineering workstationRequires social engineering or user interactionHigh attack complexityCould allow execution of malicious control logicNo public exploitation reported yet

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Studio 5000 Logix Designer: >=36.00.02|<37.00.02≥ 36.00.02|<37.00.0237.00.02+

Studio 5000 Logix DesignerAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local access to engineering workstations to only authorized personnel with a genuine need for control logic development

WORKAROUNDTrain engineering staff to not open or import control logic files from untrusted sources, especially files received via email or from unknown origins

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Studio 5000 Logix Designer

HOTFIXUpdate Studio 5000 Logix Designer to version 37.00.02 or later

All products

HARDENINGImplement application whitelisting on engineering workstations to prevent execution of unauthorized code

CVEs (1)

CVE-2025-7971

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d14b3158-7bf9-4a53-94c5-181db9cb9685

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.