Rockwell Automation Verve Asset Manager
Act Now9.9ICS-CERT ICSA-25-317-05Nov 13, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Verve Asset Manager versions 1.33 through 1.41.3 contain an authorization flaw (CWE-863) that allows an authenticated attacker to access or modify user data within the system. The vulnerability has a critical CVSS score of 9.9 due to the combination of low attack complexity, low privileges required, and high impact on confidentiality and integrity. Rockwell Automation has released patches in versions 1.41.4 and 1.42.
What this means
What could happen
An attacker with valid user credentials could access or modify user data stored in Verve Asset Manager, potentially compromising sensitive asset information and operational data managed within the system.
Who's at risk
Organizations operating Rockwell Automation Verve Asset Manager (versions 1.33 through 1.41.3) should be concerned. Verve Asset Manager is used by water utilities, electric utilities, manufacturing plants, and other industrial facilities to track and manage industrial equipment and assets. Exposure is highest for organizations that expose the asset management interface to corporate networks or allow remote access without proper segmentation.
How it could be exploited
An attacker with valid login credentials accesses Verve Asset Manager over the network and exploits an authorization flaw to read or modify user data without proper access controls. The attacker does not need elevated privileges—standard user credentials are sufficient.
Prerequisites
- Valid user account credentials for Verve Asset Manager
- Network access to the Verve Asset Manager application interface
- Verve Asset Manager instance must be reachable from the attacker's network position
Remotely exploitableLow complexity attackRequires valid user credentialsNo patch available for most current versionsAffects data confidentiality and integrity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (12)
12 with fix
ProductAffected VersionsFix Status
Verve Asset Manager: 1.341.341.41.4
Verve Asset Manager: 1.351.351.41.4
Verve Asset Manager: 1.361.361.41.4
Verve Asset Manager: 1.371.371.41.4
Verve Asset Manager: 1.381.381.41.4
Verve Asset Manager: 1.391.391.41.4
Verve Asset Manager: 1.401.401.41.4
Verve Asset Manager: 1.411.411.41.4
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to Verve Asset Manager to authorized engineering and support personnel only; use firewall rules and VPN access where remote connectivity is required
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Verve Asset Manager to version 1.41.4 or 1.42 or later
Long-term hardening
0/2HARDENINGSegment Verve Asset Manager on a dedicated management network isolated from operational control networks and corporate business networks
HARDENINGEnforce strong password policies and multi-factor authentication for all Verve Asset Manager user accounts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d8b83fe1-2946-4341-8268-89e00c4a40de