1. EXECUTIVE SUMMARY
- CVSS v4 8.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: Verve Asset Manager
- Vulnerability: Improper Validation of Specified Type of Input
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker with administrative access to run arbitrary commands in the context of the container running the service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Rockwell Automation reports the following versions of Verve Asset Manager are affected:
- Verve Asset Manager: Versions 1.39 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287
A vulnerability exists in the affected product due to insufficient variable sanitizing. A portion of the administrative web interface for Verve’s Legacy Active Directory Interface (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.
CVE-2025-1449 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-1449. A base score of 8.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: