CISA issues advisory on Opto 22 GRV-EPIC and groov RIO vulnerabilities
Several models of Opto 22's GRV-EPIC and groov RIO programmable logic controllers exhibit a vulnerability that enables remote execution of Operating System (OS) commands with root-level privileges.
Specifically, this security flaw, identified as CVE-2025-13087, affects GRV-EPIC-PR1 and GRV-EPIC-PR2 firmware versions earlier than 4.0.3, as well as groov RIO firmware versions prior to 4.0.3 across multiple models including GRV-R7-MM1001-10, GRV-R7-MM2001-10, and GRV-R7-I1VAPM-3. The vulnerability exists in the Representational State Transfer (REST) Application Programming Interface (API) component of Groov Manage, where a POST request to a particular endpoint processes header data unsafely to construct commands, permitting an attacker with administrative access to execute arbitrary shell commands as root. This issue is categorized under CWE-78, Improper Neutralization of Special Elements used in an OS Command. Common Vulnerability Scoring System (CVSS) v3.1 rates this vulnerability at 6.2 with vector Antivirus Software (AV):N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L, while CVSS v4 assigns a score of 7.5 with vector AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N.
Successful exploitation allows arbitrary shell commands to run with root privileges, presenting a risk of unauthorized control of affected systems.
Opto 22 provides a firmware update addressing this vulnerability, recommending users to upgrade affected devices to version 4.0.3. Documentation detailing the patch is available from the vendor.
Security guidance includes minimizing exposure of control system devices to external networks and internet access, isolating control systems behind firewalls, and employing secure remote access methods like updated Virtual Private Networks. CISA advises organizations to conduct thorough impact analysis and risk assessment before applying defensive measures and references several resources on control systems security practices. Reports of exploitation targeting this vulnerability have not been documented, and the attack complexity is rated high.