Rockwell Automation Verve Asset Manager

Plan Patch7.9ICS-CERT ICSA-26-020-03Jan 20, 2026

Attack VectorNetwork

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

Rockwell Automation Verve Asset Manager versions 1.33 through 1.41.3 contain a vulnerability (CWE-922, CWE-312) that allows attackers with administrative privileges to access sensitive information stored in ADI server variables. This information could include authentication credentials or operational data. The vulnerability was resolved in version 1.42. The ADI server component has been optional since version 1.36.

What this means

What could happen

An attacker with administrative access could read sensitive information stored in the ADI server variables, potentially exposing authentication credentials or process data critical to control system operation.

Who's at risk

Organizations using Rockwell Automation Verve Asset Manager for cybersecurity monitoring and asset visibility in industrial networks, particularly those deploying versions 1.33 through 1.41.3 with the ADI server component enabled. This affects critical infrastructure operators managing electrical distribution, water/wastewater treatment, and manufacturing facilities.

How it could be exploited

An attacker with high privileges on the network would need to authenticate to Verve Asset Manager and access the ADI server component to retrieve sensitive variables. Since the component is optional (available since version 1.36), exposure depends on whether your deployment has enabled it.

Prerequisites

Administrative or engineering privileges to access Verve Asset Manager
Network access to Verve Asset Manager and ADI server
ADI server component enabled in your deployment (optional since v1.36)

No authentication required to exploit if network access achievedSensitive data exposure (credentials, process data)Affects administrative access onlyNo patch available for versions 1.33–1.41.3

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

Verve Asset Manager: 1.341.341.42

Verve Asset Manager: 1.351.351.42

Verve Asset Manager: 1.361.361.42

Verve Asset Manager: 1.371.371.42

Verve Asset Manager: 1.381.381.42

Verve Asset Manager: 1.391.391.42

Verve Asset Manager: 1.401.401.42

Verve Asset Manager: 1.411.411.42

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDisable the ADI server component in Verve Asset Manager if not required for your operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Verve Asset Manager to version 1.42 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to restrict access to Verve Asset Manager to authorized engineering workstations only

CVEs (2)

CVE-2025-14376 CVE-2025-14377

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e9bbbc59-6701-49a0-a2f5-118155ed1585