Rockwell Automation Arena Simulation

Plan PatchCVSS 7ICS-CERT ICSA-25-329-02Nov 14, 2025

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A stack-based buffer overflow vulnerability in Rockwell Automation Arena Simulation allows local attackers to execute arbitrary code if they gain access to a machine running the software. The vulnerability is triggered through user interaction (opening a file or the application) and requires no network access or authentication. Users of the Stack-Based variant cannot receive a fix from the vendor. The non-stack-based versions can be patched.

What this means

What could happen

An attacker with local access to a computer running Arena Simulation could run arbitrary code, potentially altering simulation parameters, models, or analysis results used to design or validate industrial processes.

Who's at risk

Engineering and simulation personnel at utilities and manufacturers who use Rockwell Automation Arena Simulation for process design, optimization, and validation. This affects workstations and simulation servers in design and engineering departments, not directly operational PLCs or SCADA systems, but can impact the integrity of designs deployed to production systems.

How it could be exploited

An attacker must first gain local access to a workstation or server running Arena Simulation. They then exploit a stack-based buffer overflow to execute arbitrary code with the privileges of the user running the application. No network access or authentication is required.

Prerequisites

Local access to a workstation or server running Arena Simulation
User interaction required (the application must be running or triggered to open a malicious file)
No valid credentials needed

stack-based buffer overflow (CWE-121)local code executionuser interaction required to triggeraffects design tools that inform operational decisionsStack-Based version has no fix planned

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Arena Simulation Stack-BasedAll versionsNo fix (EOL)

Arena Simulation: <=16.20.10≤ 16.20.1016.20.11

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable local file sharing and restrict removable media access on workstations running Arena Simulation to reduce attack surface

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Arena Simulation to version 16.20.11 or later

Mitigations - no patch available

0/2

Arena Simulation Stack-Based has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict local access to workstations running Arena Simulation to authorized engineering and simulation personnel only

HARDENINGImplement application whitelisting on machines running Arena Simulation to prevent unauthorized code execution

CVEs (1)

CVE-2025-11918

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/204b3729-e70d-43be-8ecb-8cda286bef43

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.