Weaknesses in Rockwell Arena Simulation allow attackers to run harmful code from a distance.

Rockwell Automation has disclosed three critical memory corruption vulnerabilities in its Arena® Simulation software, which could enable threat actors to execute arbitrary code remotely on affected systems. The vulnerabilities, identified as CVE-2025-7025, CVE-2025-7032, and CVE-2025-7033, carry a high CVSS 4.0 base score of 8.4 and affect all versions 16.20.09 and prior. Discovered internally during routine testing by security researcher Michael Heinzl, these flaws have been addressed in version 16.20.10, released on August 5, 2025. The vulnerabilities represent serious memory abuse issues, with CVE-2025-7025 involving an out-of-bounds read, CVE-2025-7032 exploiting a stack-based buffer overflow, and CVE-2025-7033 leveraging a heap-based buffer overflow. All three vulnerabilities require user interaction through malicious files or websites, making them particularly dangerous in enterprise environments where Arena Simulation is commonly deployed.

Security analysts have noted that while these vulnerabilities are not currently listed in CISA’s Known Exploited Vulnerability (KEV) database, their high CVSS scores and potential for code execution warrant immediate attention. Each vulnerability carries a CVSS 3.1 base score of 7.8, indicating local attack vectors with low complexity and no required privileges. Rockwell Automation strongly recommends that organisations immediately deploy Arena Simulation version 16.20.10 or later to mitigate these risks. For those unable to upgrade immediately, implementing strict file handling controls is essential to protect against potential exploitation. The Common Weakness Enumeration (CWE) classifications highlight fundamental memory management issues that could lead to information disclosure or complete system compromise.