Critical vulnerabilities reported in Rockwell Automation Studio 5000 simulation interface

Rockwell Automation is reporting multiple security vulnerabilities in its Studio 5000 Simulation Interface software that could allow authenticated local attackers to execute malicious scripts with Administrator privileges and capture NTLM authentication hashes. 

Vulnerabilities summary:

• CVE-2025-11696 (CVSS score 9.3) - An improper limitation of a pathname to a restricted directory vulnerability, commonly known as path traversal. This flaw allows any authenticated Windows user on the system to extract files using path traversal sequences, resulting in the execution of malicious scripts with Administrator privileges upon system reboot.
• CVE-2025-11697 (CVSS score 8.8) - A server-side request forgery (SSRF) vulnerability that enables any Windows user on the system to trigger outbound SMB requests through the API. Attackers exploiting this flaw can capture NTLM hashes, which can then be cracked offline or used in relay attacks to authenticate to other network resources. 

The vulnerabilities affect Studio 5000 Simulation Interface Version 2.02 and all prior versions. Exploiting these vulnerabilities requires local access and are not remotely exploitable. Systems at most risk are in environments where multiple users have access to affected systems or where an attacker has already gained initial access through other flaws. 

Rockwell Automation strongly recommends that users upgrade to version 3.0.0 or later. For organizations unable to immediately upgrade, Rockwell Automation advises following their security best practices. CISA further recommends minimizing network exposure for control system devices, isolating control networks behind firewalls, and using secure remote access methods such as updated VPNs.