Opto 22 GRV-EPIC and groov RIO

MonitorCVSS 6.2ICS-CERT ICSA-25-324-03Nov 20, 2025

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in Opto 22 GRV-EPIC and groov RIO devices allows execution of arbitrary shell commands with root privileges on affected firmware versions prior to 4.0.3. The vulnerability requires valid administrative credentials and network access to the device. Opto 22 has released firmware version 4.0.3 to remediate this issue.

What this means

What could happen

An attacker with high-level administrative credentials could execute arbitrary commands with root privileges on GRV-EPIC or groov RIO devices, potentially allowing them to alter process logic, disable safety functions, or halt industrial operations.

Who's at risk

Water utilities and electric utilities operating Opto 22 GRV-EPIC programmable controllers or groov RIO remote I/O modules for process monitoring and control should prioritize this fix. These devices are commonly used in SCADA systems and distributed process automation environments.

How it could be exploited

An attacker with valid administrative credentials and network access to the GRV-EPIC or groov RIO device could submit a malicious command through the management interface, bypassing input validation to execute arbitrary shell commands with root-level access to the device's operating system.

Prerequisites

Valid administrative credentials for the target device
Network connectivity to the device's management port
High attack complexity (specific conditions or detailed knowledge required)

remotely exploitablerequires high-level administrative credentialshigh attack complexityaffects industrial process controlroot command execution capability

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

groov RIO GRV-R7-I1VAPM-3 Firmware: <4.0.3<4.0.34.0.3

GRV-EPIC-PR1 Firmware: <4.0.3<4.0.34.0.3

GRV-EPIC-PR2 Firmware: <4.0.3<4.0.34.0.3

groov RIO GRV-R7-MM1001-10 Firmware: <4.0.3<4.0.34.0.3

groov RIO GRV-R7-MM2001-10 Firmware: <4.0.3<4.0.34.0.3

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to GRV-EPIC and groov RIO management interfaces to authorized engineering workstations only

HARDENINGEnsure GRV-EPIC and groov RIO devices are not directly accessible from the Internet or untrusted networks

HARDENINGEnforce strong, unique administrative credentials on all GRV-EPIC and groov RIO devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade GRV-EPIC and groov RIO devices to firmware version 4.0.3 or later

Long-term hardening

0/1

HARDENINGPlace GRV-EPIC and groov RIO devices behind a firewall and isolate them from business networks

CVEs (1)

CVE-2025-13087

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/21168900-49a1-47e5-9b1c-ca8bbd46dc65

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.