Opto 22 GRV-EPIC and groov RIO
Monitor6.2ICS-CERT ICSA-25-324-03Nov 20, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary
A command injection vulnerability in Opto 22 GRV-EPIC and groov RIO firmware versions prior to 4.0.3 allows an authenticated attacker with high-level administrative privileges to execute arbitrary shell commands with root privileges on the affected devices. This could enable an attacker to alter device behavior, modify process logic, or disrupt operations. The vulnerability has high attack complexity and requires valid high-privilege credentials. Opto 22 has released firmware version 4.0.3 as a fix.
What this means
What could happen
An attacker with high-level credentials could run arbitrary commands with root privileges on GRV-EPIC and groov RIO controllers, potentially allowing them to modify process logic, alter setpoints, or shut down industrial operations.
Who's at risk
Water utilities, municipal electric systems, and other industrial facilities using Opto 22 GRV-EPIC and groov RIO programmable logic controllers (PLCs) and remote I/O devices for process automation and monitoring should assess their exposure. These devices are commonly used for process control, data acquisition, and remote site monitoring in water treatment, wastewater, power distribution, and manufacturing.
How it could be exploited
An attacker must first gain access to the device's administrative interface, likely through compromised engineering workstation credentials or by reaching the device from the network. Once authenticated with high-level privileges, they can execute arbitrary shell commands that run with root access on the controller.
Prerequisites
- High-level (administrator) credentials on the GRV-EPIC or groov RIO device
- Network access to the device's management interface
- High attack complexity (specific conditions or detailed knowledge of the system required)
Remotely exploitableHigh privilege level required for exploitationNo patch available for some modelsAffects critical control system devices
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
groov RIO GRV-R7-I1VAPM-3 Firmware: <4.0.3<4.0.34.0.3
GRV-EPIC-PR1 Firmware: <4.0.3<4.0.34.0.3
GRV-EPIC-PR2 Firmware: <4.0.3<4.0.34.0.3
groov RIO GRV-R7-MM1001-10 Firmware: <4.0.3<4.0.34.0.3
groov RIO GRV-R7-MM2001-10 Firmware: <4.0.3<4.0.34.0.3
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to GRV-EPIC and groov RIO management interfaces using firewall rules; only allow connections from authorized engineering workstations and block Internet-facing access
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade GRV-EPIC and groov RIO firmware to version 4.0.3 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate control system devices from business networks and the Internet
HARDENINGUse VPN for any required remote access to controllers, and keep VPN software and connected systems updated to current versions
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/21168900-49a1-47e5-9b1c-ca8bbd46dc65