Rockwell Automation SIS Workstation Vulnerability Exposes Critical Manufacturing
Executive Summary
In November 2025, Rockwell Automation disclosed a critical path traversal vulnerability (CVE-2024-48510) in its AADvance-Trusted SIS Workstation software, impacting versions 2.00.00 to 2.00.04. The flaw stems from improper validation in the DotNetZip component, enabling remote attackers to execute arbitrary code if a victim opens a malicious file. This issue poses significant risks to critical manufacturing systems worldwide, potentially allowing adversaries to compromise safety instrumented system environments. Rockwell has released a patch in version 2.01.00 to address the flaw.
This vulnerability is particularly noteworthy due to its low attack complexity, remote exploitability, and potential for widespread impact across global critical infrastructure. The incident underscores ongoing supply chain risks in industrial software and the urgent need for timely patching, robust endpoint security, and defense-in-depth strategies for operational technology (OT) environments.
Why This Matters Now
With industrial control systems increasingly targeted by sophisticated cyber actors, unpatched path traversal flaws such as CVE-2024-48510 create a direct avenue for remote code execution in critical manufacturing operations. Immediate attention is required to prevent potential disruptions and safety hazards, especially as such vulnerabilities gain the attention of ransomware and APT groups.
Attack Path Analysis
An attacker lured a victim into opening a maliciously crafted zip file exploiting a path traversal vulnerability in Rockwell AADvance-Trusted SIS Workstation, leading to initial compromise via remote code execution. Upon gaining access, the attacker sought ways to escalate privileges on the compromised system. Lateral movement within internal network spaces potentially followed, exploiting east-west network flows. To maintain persistence and control, the attacker may have set up command and control channels for remote access. Data exfiltration or outbound communications could occur next, utilizing unfiltered egress channels. Ultimately, system integrity or the broader safety environment could be impacted, risking business disruption or manipulation of critical safety systems.
Kill Chain Progression
Initial Compromise
Description
Victim opens a malicious zip file containing crafted directory traversal paths, allowing remote code execution on the workstation.
Related CVEs
CVE-2024-48510
CVSS 9.8A directory traversal vulnerability in DotNetZip v1.16.0 and earlier allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component.
Affected Products:
Rockwell Automation AADvance-Trusted SIS Workstation – 2.00.00, 2.00.01, 2.00.02, 2.00.03, 2.00.04
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
User Execution
Phishing
Command and Scripting Interpreter
Exploitation of Remote Services
Ingress Tool Transfer
Hijack Execution Flow: Path Interception by Search Order Hijacking
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Addressing Security Vulnerabilities
Control ID: 6.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Continuous Vulnerability Management
Control ID: Asset Management
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical vulnerability in Rockwell AADvance-Trusted SIS Workstation enables remote code execution, directly compromising safety instrumented systems and manufacturing control infrastructure.
Oil/Energy/Solar/Greentech
Path traversal vulnerability threatens safety systems managing hazardous processes, potentially causing catastrophic failures in refineries, power plants, and renewable energy facilities.
Chemicals
Safety Instrumented System compromise could disable critical safety controls protecting against chemical releases, explosions, and toxic exposure incidents in manufacturing processes.
Utilities
Remote exploitation of safety workstations managing water treatment, power generation, and distribution systems poses severe risks to essential public infrastructure services.
Sources
- Rockwell Automation AADvance-Trusted SIS Workstationhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-317-10Verified
- Rockwell Automation Security Advisory SD1761https://www.rockwellautomation.com/en-pr/trust-center/security-advisories.htmlVerified
- NVD Entry for CVE-2024-48510https://nvd.nist.gov/vuln/detail/CVE-2024-48510Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust CNSF controls—such as segmentation, east-west traffic enforcement, inline IPS, and egress policy—would have constrained the attacker's ability to execute code, move laterally, establish persistence, and exfiltrate data. These controls reduce attack surface, detect anomalous behaviors, and enforce strict policy boundaries in hybrid-cloud and ICS environments.
Control: Inline IPS (Suricata)
Mitigation: Malicious file activity or exploit signatures detected and blocked at network edge.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual privilege escalation or suspicious execution flagged for incident response.
Control: Zero Trust Segmentation
Mitigation: Unauthorized east-west movement is blocked between network segments.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 channels and malicious destinations are detected and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Sensitive data exfiltration attempts are stopped or logged for response.
Critical operational changes and suspicious system events are surfaced for rapid mitigation.
Impact at a Glance
Affected Business Functions
- Safety Instrumented System Operations
- Process Control
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive process control data and system configurations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement between SIS workstations and other network assets.
- • Deploy Inline IPS and continuous Threat Detection to monitor, alert, and prevent exploit attempts and abnormal user behavior.
- • Enforce stringent egress filtering policies to block unauthorized data exports and outbound C2 channels.
- • Maintain comprehensive Multicloud Visibility to rapidly detect, investigate, and respond to anomalous activities or policy violations.
- • Immediately upgrade vulnerable software components and perform regular security posture assessments focusing on identity and traffic flow governance.
