CVE-2025-1449 HIGH

CVE-2025-1449: Admin Shell Access Vulnerability in Rockwell Automation Verve Asset Manager

Vendor Rockwell Automation
Product Verve Asset Manager
Published March 31, 2025
Last update March 31, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability exists in the Rockwell Automation Verve Asset Manager due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.

Key dates

02Disclosure timeline

March 31, 2025 CVE published
March 31, 2025 Record updated