Description
A local code execution vulnerability exists in the Rockwell Automation Arena® due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
Scores
CVSS v3
7.8
EPSS
0.0026
EPSS Percentile
49.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-457
CWE-824
Status
published
Products (1)
rockwellautomation/arena
< 16.20.09
Published
Apr 08, 2025
Tracked Since
Feb 18, 2026