Rockwell Automation has issued a critical security advisory addressing multiple remote code execution (RCE) vulnerabilities discovered in its Arena® software.
These vulnerabilities, reported by the Zero Day Initiative (ZDI), expose systems to potential exploitation by adversaries looking to execute arbitrary code.
With the release of updated software versions, Rockwell Automation has taken corrective action and strongly urges users to apply the fixes promptly.
.png
)
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Critical Vulnerabilities Identified
The vulnerabilities affect Arena®, a widely used simulation modeling tool. Four separate security flaws have been identified, each of which could allow a threat actor to gain unauthorized access to systems and execute arbitrary code after user interaction with malicious files.
These vulnerabilities have been classified as high severity, with a CVSS v3.1 score of 7.8 and a CVSS v4.0 score of 8.5. The following outlines the nature of these threats:
CVE-2024-11155
This vulnerability, CVE-2024-11155 stems from a “use after free” issue where the software reuses deallocated resources.
If successfully exploited, an attacker can execute arbitrary code by coercing a user to interact with a maliciously crafted DOE file. The exploit requires user interaction and could significantly impact system confidentiality, integrity, and availability.
CVE-2044-11156
CVE-2024-11156, An “out-of-bounds write” vulnerability allows attackers to write data outside the allocated memory boundary.
This flaw can lead to system instability or arbitrary code execution. Users who inadvertently execute malicious files are at particular risk.
CVE-2024-11158
CVE-2024-11158, Exploitation of this vulnerability is possible due to improper handling of uninitialized variables.
Attackers could use this flaw to manipulate the software, forcing it to access variables that lack proper initialization. A successful attack could allow code execution, compromising system stability and security.
CVE-2024-12130
The final vulnerability, CVE-2024-12130 involves an “out-of-bounds read” flaw, which could allow attackers to access data beyond the allocated memory range.
This can expose sensitive system information or lead to further malicious activities when users interact with compromised DOE files.
Affected Products
The vulnerabilities impact various versions of Arena®. Affected and corrected versions are detailed below:
| CVE ID | Affected Software Versions | Corrected in Version |
| CVE-2024-11155 | All versions 16.20.00 and prior | 16.20.06 and later |
| CVE-2044-11156 | All versions 16.20.03 and prior | 16.20.06 and later |
| CVE-2024-11158 | All versions 16.20.00 and prior | 16.20.06 and later |
| CVE-2024-12130 | All versions 16.20.03 and prior | 16.20.06 and later |
Rockwell Automation has resolved these vulnerabilities in the updated Arena® software version 16.20.06 and later.
The updates address the flaws effectively, mitigating the risks posed by potential exploitation. Users operating on versions before 16.20.03 are advised to upgrade immediately to ensure their systems are protected.
No workarounds are available at this time. However, Rockwell Automation recommends that customers implement the provided updates and follow industry-standard best practices for securing industrial automation systems.
These measures include restricting access to critical systems, ensuring user accounts are safeguarded, and minimizing interaction with untrusted files.
Although no known active exploitation of these vulnerabilities has been reported, Rockwell Automation emphasizes the urgency of applying software updates to mitigate any potential risks.
The organization also encourages users to conduct stakeholder-specific vulnerability assessments to prioritize system protection according to their unique operational needs.
By staying proactive and applying these fixes, organizations can safeguard their Arena® systems against malicious actors and ensure uninterrupted operation in critical environments.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses
 vulnerabilities discovered in its Arena® software.){kind=link}