Rockwell Automation Studio 5000 Simulation Interface

Plan PatchCVSS 8.8ICS-CERT ICSA-25-317-06Nov 11, 2025

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Studio 5000 Simulation Interface versions 2.02 and earlier contain two vulnerabilities (CWE-22 path traversal and CWE-918 server-side request forgery) that allow local authenticated users to trigger outbound SMB requests for NTLM hash capture or achieve local privilege escalation to Administrator level. Exploitation requires local user account access and is not remotely exploitable. Rockwell Automation has released version 3.0.0 as a fix, but no updates are available for versions earlier than 2.02.

What this means

What could happen

An attacker with local access to a system running Studio 5000 Simulation Interface could capture NTLM password hashes or execute administrative commands, potentially disrupting engineering work or enabling further compromise of the engineering environment.

Who's at risk

Engineering teams and automation specialists who use Rockwell Automation Studio 5000 Simulation Interface for testing and development of industrial control system logic should be aware of this vulnerability, particularly if running version 2.02 or earlier on shared or multi-user workstations.

How it could be exploited

An attacker with local user privileges on a Windows system running the vulnerable Simulation Interface can trigger outbound SMB requests to capture NTLM credentials, or escalate to Administrator level to run scripts that execute upon system reboot.

Prerequisites

Local user account access to the Windows system running Studio 5000 Simulation Interface
Version 2.02 or earlier of the Simulation Interface installed
System must be restarted for script execution payload to activate

Local access only (not remotely exploitable)Requires low-privilege user accountNo patch available for older versionsAffects engineering infrastructure rather than operational control systems

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Studio 5000 Simulation InterfaceAll versionsNo fix yet

Studio 5000 Simulation Interface: <=2.02≤ 2.023.0.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIf immediate upgrade is not possible, restrict local user access on systems running Studio 5000 Simulation Interface to authorized engineering personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Studio 5000 Simulation Interface to version 3.0.0 or later

Long-term hardening

0/2

HARDENINGIsolate the Studio 5000 Simulation Interface system from the business network and place it on a separate engineering network behind a firewall

HARDENINGMonitor for unexpected outbound SMB traffic (port 445) from systems running the Simulation Interface to external systems

CVEs (2)

CVE-2025-11696 CVE-2025-11697

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/62791f55-3039-429a-88ff-e4a9f4ae6deb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.