CISA issues alert on Rockwell Automation Arena Simulation vulnerability

A stack-based buffer overflow vulnerability has been identified in Rockwell Automation's Arena Simulation software, which could enable local network attackers to execute arbitrary code on affected systems.

The issue, tracked as CVE-2025-11918, affects Arena Simulation versions 16.20.10 and earlier. The vulnerability arises from the parsing of DOE files, where opening a malicious DOE file can trigger the flaw. The vulnerability requires local network access for exploitation and has been assigned a Common Vulnerability Scoring System (CVSS) v3.1 base score of 7.0 and a CVSS v4 base score of 7.1, reflecting the conditions detailed in their respective vector strings.

Successful exploitation of the defect may allow an attacker to run arbitrary code within the Arena software environment.

Rockwell Automation has provided an update to Arena Simulation, version 16.20.11, which addresses this vulnerability. Users unable to upgrade are directed to implement the vendor's security best practices. No reports exist of this vulnerability being exploited remotely or publicly at this time.

Recommendations include reducing the exposure of control system devices by ensuring they are not accessible via the internet, employing network segregation, and using secure remote access methods like updated VPNs. Organizations are advised to assess risks and impacts carefully before applying defense measures and to follow established protocols for reporting suspicious activities. Additional CISA resources offer guidance on cybersecurity best practices specifically for industrial control systems, including strategies for intrusion detection and mitigation.