CVE-2025-1449

Name of the Vulnerable Software and Affected Versions Rockwell Automation Verve Asset Manager versions 1.39 and prior

Description A vulnerability exists in the Rockwell Automation Verve Asset Manager due to insufficient variable sanitizing in the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability. This could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service. The vulnerability is exploitable remotely with low attack complexity. Rockwell Automation has reported that this vulnerability affects critical manufacturing infrastructure globally, posing risks to organizations that rely on this system for operational management.

Recommendations For versions 1.39 and prior, upgrade to version 1.40 or apply strict security measures immediately, such as minimizing network exposure of control systems and adopting secure remote access solutions to limit potential attack vectors. As a temporary workaround, consider restricting access to the administrative web interface to minimize the risk of exploitation.