Rockwell Automation 2025 ICS Vulnerabilities: Studio 5000 Path Traversal & SSRF Risks
Executive Summary
In November 2025, Rockwell Automation disclosed critical vulnerabilities affecting its Studio 5000 Simulation Interface used across chemical and manufacturing sectors. The issues—Improper Limitation of a Pathname to a Restricted Directory (CVE-2025-11696) and Server-Side Request Forgery (CVE-2025-11697)—allowed local attackers to execute arbitrary scripts with administrator privileges and capture NTLM hashes via outbound SMB requests. The vulnerabilities impacted versions 2.02 and earlier, and, if exploited, could grant attackers lateral movement or privileged control within industrial environments, threatening operational integrity and sensitive data.
These vulnerabilities highlight ongoing threats to industrial control systems (ICS) and the continued focus of adversaries on exploiting misconfigurations and overlooked APIs. With increasing regulatory pressure for critical infrastructure resilience and the evolution of ICS-specific ransomware and supply chain attacks, such vulnerabilities remain a potent risk requiring constant attention and timely remediation.
Why This Matters Now
Exploits targeting ICS environments are growing as attackers seek to disrupt critical infrastructure and steal valuable operational data. Immediate attention is vital due to the high severity (CVSS 9.3), the potential for privilege escalation, and sector-wide exposure across global deployments. Rapid patching and heightened network segmentation are urgent to prevent cascading industrial impacts.
Attack Path Analysis
The attacker gains initial access to the host running Rockwell Automation Studio 5000 Simulation Interface by leveraging local access and valid user credentials. Privilege escalation is achieved by exploiting a path traversal vulnerability (CVE-2025-11696) to execute scripts with Administrator privileges upon system reboot. The attacker may attempt lateral movement within the environment, potentially accessing internal resources or sensitive data. Using the server-side request forgery (SSRF) flaw (CVE-2025-11697), the attacker triggers outbound SMB requests to capture NTLM hashes, establishing a foothold for command and control. NTLM hashes or extracted data may be exfiltrated through covert outbound requests. Ultimately, the attacker could use elevated privileges to impact industrial control system operations, manipulate simulations, or disrupt manufacturing processes.
Kill Chain Progression
Initial Compromise
Description
Attacker with local user credentials or access leverages proximity or insider threat to target Studio 5000 Simulation Interface on-premises.
Related CVEs
CVE-2025-11696
CVSS 8.1A local server-side request forgery (SSRF) vulnerability in Studio 5000 Simulation Interface allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes.
Affected Products:
Rockwell Automation Studio 5000 Simulation Interface – 2.02 and prior
Exploit Status:
no public exploitCVE-2025-11697
CVSS 8.1A local code execution vulnerability in Studio 5000 Simulation Interface allows any Windows user on the system to extract files using path traversal sequences, resulting in execution of scripts with Administrator privileges on system reboot.
Affected Products:
Rockwell Automation Studio 5000 Simulation Interface – 2.02 and prior
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Path Interception by PATH Environment Variable
Registry Run Keys / Startup Folder
Exploitation for Privilege Escalation
Exploitation of Remote Services
Exfiltration Over SMB
Browser Session Hijacking
LLMNR/NBT-NS Poisoning and SMB Relay
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Restrict access to system components and cardholder data by business need to know
Control ID: 7.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy Required
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Enforce least privilege and segmentation for devices and software
Control ID: Pillar 1: Identity – Device Access Management
NIS2 Directive – Technical and Organisational Measures for Security of Network and Information Systems
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Critical Manufacturing
Rockwell Automation Studio 5000 vulnerabilities enable path traversal and SSRF attacks, compromising industrial control systems with Administrator privilege escalation risks.
Chemicals
CISA-identified critical infrastructure sector faces severe OT security risks from Studio 5000 SSRF vulnerabilities enabling NTLM hash capture and system compromise.
Oil/Energy/Solar/Greentech
Industrial control system vulnerabilities in Studio 5000 simulation interface threaten energy infrastructure through local privilege escalation and credential harvesting attacks.
Automotive
Manufacturing automation systems using Rockwell Studio 5000 face critical security gaps with path traversal exploits potentially disrupting production control networks.
Sources
- Rockwell Automation Studio 5000 Simulation Interfacehttps://www.cisa.gov/news-events/ics-advisories/icsa-25-317-06Verified
- SD1760 | Studio 5000 Simulation Interface - Multiple Vulnerabilitieshttps://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1760.htmlVerified
- NVD - CVE-2025-11696https://nvd.nist.gov/vuln/detail/CVE-2025-11696Verified
- NVD - CVE-2025-11697https://nvd.nist.gov/vuln/detail/CVE-2025-11697Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, rigorous egress policy enforcement, workload isolation, and advanced threat/anomaly detection would have constrained the attacker’s ability to escalate privileges, move laterally, exfiltrate NTLM hashes, or impact industrial systems. CNSF controls mapped to these capabilities could have prevented exploitation, limited unauthorized access, and detected anomalous activity at multiple stages of the kill chain.
Control: Zero Trust Segmentation
Mitigation: Unauthorized users would be isolated and unable to interact with sensitive workloads without explicit policy.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious privilege elevation events and unauthorized script execution are detected and alerted upon.
Control: East-West Traffic Security
Mitigation: Lateral movement is restricted between workloads by default and anomalous internal flows are flagged.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound SMB and unauthorized egress channels are blocked or flagged for inspection.
Control: Cloud Firewall (ACF)
Mitigation: Data exfiltration attempts over non-approved or anomalous channels are detected and prevented.
Critical changes and anomalous behaviors are quickly detected and contained before operational impact.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of NTLM hashes, leading to unauthorized access and control over industrial systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to strictly isolate ICS workloads from general-purpose users and networks.
- • Enforce east-west and egress controls to limit lateral and outbound movement, explicitly blocking unauthorized SMB and SSRF-related protocols.
- • Deploy runtime threat detection and anomaly monitoring to rapidly uncover privilege escalation, path traversal, and exfiltration behaviors.
- • Leverage centralized multicloud visibility for comprehensive monitoring and real-time policy governance across all environments.
- • Regularly review application access and update legacy systems, prioritizing remediation of ICS vulnerabilities and adherence to industry guidance.
