CVE-2020-25176

Name of the Vulnerable Software and Affected Versions Rockwell Automation ISaGRAF Runtime versions 4.x through 5.x

Description The issue is related to errors in handling relative paths to directories with limited access in the eXchange Layer (IXL) component of the Rockwell Automation ISaGRAF Runtime environment. This can allow a remote attacker to execute arbitrary code. Some commands used by the IXL protocol perform file operations, and since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application's directory, potentially leading to remote code execution.

Recommendations For versions 4.x through 5.x, consider restricting access to the IXL protocol to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using parameters that could lead to directory traversal in the affected IXL protocol commands until the issue is resolved.