OTPulse
FeedAboutContact

Rockwell Automation Studio 5000 Simulation Interface

Plan Patch8.8ICS-CERT ICSA-25-317-06Nov 13, 2025
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Studio 5000 Simulation Interface versions 2.02 and below contain vulnerabilities (CWE-22 path traversal, CWE-918 SSRF) that allow local attackers to trigger outbound SMB requests for NTLM hash capture and to execute scripts with Administrator privileges upon system reboot. These vulnerabilities are not remotely exploitable but pose risk to engineering workstations that are often used to program and configure production automation systems.

What this means
What could happen
An attacker with local access could capture Windows authentication credentials (NTLM hashes) from the system or execute commands with Administrator privileges after a reboot, potentially compromising the engineering workstation and connected automation systems.
Who's at risk
Engineering staff and system administrators who use Rockwell Automation Studio 5000 Simulation Interface on workstations connected to plant networks. This affects organizations using Studio 5000 for programming and testing Allen-Bradley PLC and automation controllers before deployment to production systems.
How it could be exploited
An attacker with local user access to a Studio 5000 Simulation Interface workstation can trigger an outbound SMB request that causes the system to attempt authentication with an attacker-controlled server, capturing the NTLM hash. Additionally, malicious scripts could be executed with Administrator privileges when the system restarts.
Prerequisites
  • Local user account on the Studio 5000 Simulation Interface workstation
  • System reboot (for privilege escalation component)
  • Network path to attacker-controlled SMB server (for credential capture)
Local access required (not remote)Low complexity exploitationAffects engineering workstations (gateway to production systems)No patch available for versions 2.02 and belowPrivilege escalation possible on reboot
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Studio 5000 Simulation Interface: <=2.02≤ 2.023.0.0
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGRestrict local user account access to engineering workstations to trusted staff only
HARDENINGImplement network segmentation to isolate Studio 5000 workstations from untrusted networks and restrict outbound SMB connections
WORKAROUNDDisable SMB protocol on the workstation network segment if not required for engineering operations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Studio 5000 Simulation Interface to version 3.0.0 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/62791f55-3039-429a-88ff-e4a9f4ae6deb
Rockwell Automation Studio 5000 Simulation Interface | CVSS 8.8 - OTPulse