OTPulse

Rockwell Automation Verve Asset Manager

Plan PatchCVSS 7.9ICS-CERT ICSA-26-020-03Jan 20, 2026
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary

Rockwell Automation Verve Asset Manager versions 1.33 through 1.41.3 contain vulnerabilities that allow an attacker with high-privilege access to the application to access sensitive information stored in variables within the ADI server component. The vulnerability is related to insecure storage of sensitive data and inadequate protection of system variables. Rockwell Automation resolved the issue in version 1.42. The ADI server component has been optional since version 1.36.

What this means
What could happen
An attacker with high-privilege access to the Verve Asset Manager could extract sensitive data stored in the system's ADI (Asset Data Interface) server, potentially exposing credentials, configuration details, or process information used to manage your industrial assets.
Who's at risk
Organizations using Rockwell Automation Verve Asset Manager for asset inventory, configuration management, or remote monitoring of industrial devices should assess whether they are running affected versions. This is particularly relevant for utilities, manufacturing, and critical infrastructure operators that rely on Verve Asset Manager for fleet management across PLCs, drives, and other industrial controllers.
How it could be exploited
An attacker must first gain high-privilege credentials or access to the Verve Asset Manager application. Once authenticated with administrative rights, they can query the ADI server to retrieve sensitive information stored in variables that should be protected.
Prerequisites
  • High-privilege credentials or account access to Verve Asset Manager (administrative or engineering level)
  • Network access to the Verve Asset Manager application
  • ADI server component enabled in the system configuration
Requires high-privilege credentials (reduces exposure but increases impact if compromised)High CVSS score (7.9) indicates significant confidentiality and integrity impactInformation disclosure could expose sensitive configuration or credentialsNo active exploitation detected but vulnerability affects all prior versions
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (13)
12 with fix1 EOL
ProductAffected VersionsFix Status
Verve Asset ManagerAll versionsNo fix (EOL)
Verve Asset Manager: 1.341.341.42
Verve Asset Manager: 1.351.351.42
Verve Asset Manager: 1.361.361.42
Verve Asset Manager: 1.371.371.42
Verve Asset Manager: 1.381.381.42
Verve Asset Manager: 1.391.391.42
Verve Asset Manager: 1.401.401.42
Remediation & Mitigation
0/4
Do now
0/2
Verve Asset Manager
HARDENINGRestrict network access to Verve Asset Manager to authorized engineering and administrative personnel only
All products
WORKAROUNDDisable the ADI server component if not required for your operational workflow
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Verve Asset Manager
HOTFIXUpdate Verve Asset Manager to version 1.42 or later
All products
HARDENINGImplement role-based access control to limit which accounts have high-privilege access to the ADI server component
View full CISA ICS-CERT advisory
API: /api/v1/advisories/e9bbbc59-6701-49a0-a2f5-118155ed1585

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Rockwell Automation Verve Asset Manager | CVSS 7.9 - OTPulse