CVE-2025-14377
Unknown Unknown - Not Provided
Plaintext Secret Exposure in Verve Asset Manager Ansible Playbook

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Rockwell Automation

Description
A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14377
EUVD
EUVD-2026-3420
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rockwellautomation verve_asset_manager From 1.36 (exc) to 1.42 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability (CVE-2025-14377) affects the legacy Ansible playbook component of Verve Asset Manager. It involves plaintext secrets being incorrectly stored during the execution of a playbook, which means sensitive information is stored in cleartext and could be exposed. This component has been retired and made optional since version 1.36 (2024) and fully removed in version 1.42. [1]

Impact Analysis

The vulnerability can lead to exposure of sensitive secrets stored in plaintext during playbook execution, potentially allowing unauthorized access or misuse of sensitive information. This could compromise the security of industrial control systems managed by Verve Asset Manager. However, since the affected component is legacy, optional since 1.36, and fully removed in 1.42, the risk is mitigated by upgrading to the latest version. [1]

Mitigation Strategies

The affected legacy Ansible playbook component has been retired and optional since version 1.36 and fully removed in version 1.42 of Verve Asset Manager. The vulnerability is corrected by upgrading to version 1.42 or later, which fully removes the vulnerable component. No specific workarounds are provided. If upgrading is not possible, it is advised to follow Rockwell Automation's security best practices and contact their TechConnect support for further assistance. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart