*Rockwell Automation AADvance-Trusted SIS Workstation *
Plan PatchCVSS 8.8ICS-CERT ICSA-25-317-10Nov 11, 2025
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
AADvance-Trusted SIS Workstation software versions prior to 2.01.00 contain a path traversal vulnerability (CWE-22) in the DotNetZip component that can be exploited to achieve remote code execution. The vulnerability requires user interaction (clicking a link or opening a malicious file) but has a high impact on confidentiality, integrity, and availability. SIS Workstation DotNetZip has no fix planned and remains vulnerable across all versions.
What this means
What could happen
An attacker could trick an engineer or operator into opening a malicious file or link, gaining the ability to run arbitrary code on the SIS Workstation. This could allow modification of safety instrumented system logic, configuration data, or process setpoints, potentially causing unsafe plant conditions or loss of safety system integrity.
Who's at risk
Organizations operating Rockwell Automation AADvance-Trusted SIS Workstations for safety instrumented system design, engineering, or configuration are affected. This is critical for facilities in chemical processing, oil & gas, refining, pharmaceuticals, and power generation that rely on these workstations for safety system management. The SIS Workstation DotNetZip component is widely used and cannot be fixed; AADvance-Trusted versions below 2.01.00 require immediate attention.
How it could be exploited
An attacker crafts a malicious file or link targeting the DotNetZip path traversal vulnerability and sends it to an SIS Workstation user via email, web, or file share. When the user opens or clicks the payload on the workstation, the attacker gains code execution with the privileges of the logged-in user. From there, the attacker can manipulate SIS configuration, bypass safety logic, or exfiltrate control system documentation.
Prerequisites
- User interaction required: engineer or operator must open or click a malicious file or link on the workstation
- Network access to deliver the payload (email, HTTP, or file share)
- Vulnerable SIS Workstation version (2.00.00 through 2.00.03) must be running
Remotely exploitable via file/link deliveryLow complexity attackUser interaction required but common in engineering workflowsAffects safety instrumented systems (SIS)DotNetZip library has no fix planned; vulnerability will persist indefinitely in that component
Exploitability
Some exploitation risk — EPSS score 2.3%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
SIS Workstation DotNetZipAll versionsNo fix (EOL)
AADvance-Trusted SIS Workstation: >=2.00.00|<2.00.04≥ 2.00.00|<2.00.042.01.00
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict delivery and use of files from untrusted sources on SIS Workstations; establish a policy requiring users to validate file origins before opening
HARDENINGImplement email filtering and content controls to block suspicious attachments or links on systems that can reach SIS Workstations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade AADvance-Trusted SIS Workstation to version 2.01.00 or later
Mitigations - no patch available
0/1SIS Workstation DotNetZip has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate SIS Workstations from general business networks and the internet; ensure workstations are accessed only from secure internal networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/44b6e72f-b826-43eb-adc3-7c7bec02e408Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.