CVE-2025-11696
BaseFortify
Publication date: 2025-11-11
Last updated on: 2025-11-11
Assigner: Rockwell Automation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rockwell_automation | studio_5000_simulation_interface | 3.0.0 |
| rockwell_automation | studio_5000_simulation_interface | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11696 is a local server-side request forgery (SSRF) vulnerability in the Studio 5000® Simulation Interface™ API. It allows any Windows user on the affected system to trigger outbound SMB requests, which can be exploited to capture NTLM authentication hashes, potentially compromising user credentials. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a local Windows user to initiate outbound SMB requests that capture NTLM hashes. These hashes can be used to compromise credentials, potentially leading to unauthorized access or further attacks within your system or network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves triggering outbound SMB requests from the Studio 5000® Simulation Interface™ API by any Windows user on the system. Detection could involve monitoring outbound SMB traffic from the affected system to identify unusual or unauthorized SMB requests. Specific commands are not provided in the advisory, but network monitoring tools or commands that capture SMB traffic (such as Wireshark filters for SMB protocol or Windows PowerShell commands to monitor network connections) could be used to detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Studio 5000® Simulation Interface™ to version 3.0.0 or later, where this vulnerability is fixed. No workarounds are provided. For those unable to upgrade immediately, Rockwell Automation recommends adhering to security best practices to reduce risk. [1]