Rockwell Lifecycle Services with VMware are Vulnerable to third-party Vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239)

Plan Patch9.3SD1730Jul 16, 2025

Summary

Rockwell Lifecycle Services is vulnerable to multiple third-party vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239) present in underlying third-party components or libraries. These vulnerabilities have a CVSS score of 9.3 and affect all versions of Lifecycle Services. No patch is currently available from Rockwell Automation.

What this means

What could happen

Attackers could exploit third-party vulnerabilities in Rockwell Lifecycle Services to gain unauthorized access or execute code on systems hosting the service, potentially disrupting engineering tools and access to configuration/historical data for Rockwell control equipment.

Who's at risk

Engineering teams and plant personnel who use Rockwell Lifecycle Services to manage, configure, and monitor Rockwell PLCs, drives, and other automation equipment. This affects any organization running Rockwell Lifecycle Services for asset lifecycle management.

How it could be exploited

An attacker with network access to the Lifecycle Services interface could exploit unpatched third-party vulnerabilities (likely in underlying libraries or dependencies) to gain remote code execution or unauthorized access, then leverage that access to modify stored configurations or interfere with engineering operations.

Prerequisites

Network access to Lifecycle Services web interface or API endpoints
Lifecycle Services deployment connected to a network accessible by attacker
Third-party vulnerability must be present in deployed version

remotely exploitableno patch availablecritical severitythird-party dependency risk

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Lifecycle Services withAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGIsolate Lifecycle Services from untrusted networks using a firewall or network segmentation; restrict access to engineering personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor Rockwell Automation security bulletins and CISA alerts for patches or updates to third-party dependencies used in Lifecycle Services

HOTFIXCoordinate with Rockwell Automation to determine when third-party vulnerability fixes will be incorporated into a Lifecycle Services update

CVEs (4)

CVE-2025-41236 CVE-2025-41237 CVE-2025-41238 CVE-2025-41239

View full Rockwell Automation advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4cfd326e-4fd0-4b6b-ae67-9404a4a8cd20