CVE-2025-60037 HIGH

CVE-2025-60037

Vendor Bosch Rexroth
Product IndraWorks
Weakness CWE-502 · Unsafe deserialization
Published February 18, 2026
Last update February 18, 2026
View on NVD All CVEs

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
February 18, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-58644 WordPress LTL Freight Quotes - TQL Edition Plugin <= 1.2.6 - PHP Object Injection Vulnerability CVE-2024-5085 Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated PHP Object Injection CVE-2025-0734 y_project RuoYi Whitelist getBeanName deserialization CVE-2025-30065 Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata CVE-2025-43850 GHSL-2025-020_Retrieval-based-Voice-Conversion-WebUI