Rockwell Automation fixes critical flaw in Verve Asset Manager
Take action: This doesn't seem like an urgent flaw, since the attack is only possible for a user with administrative privileges on the system. Network isolation doesn't help much, but make sure Verve Asset Manager is still isolated from the Internet. Then plan a regular patch process.
Learn More
Rockwell Automation is reporting a critical security vulnerability in its Verve Asset Manager product that could potentially allow remote exploitation with low attack complexity.
The vulnerability is tracked as CVE-2025-1449 (CVSS score 9.1), is an "Improper Validation of Specified Type of Input. It is caused by insufficient variable sanitizing in the administrative web interface for Verve's Legacy Active Directory Interface (ADI) capability, which has been deprecated since the 1.36 release.
The flaw affects Verve Asset Manager versions 1.39 and prior
Successful exploitation of this vulnerability could permit an attacker with administrative access to execute arbitrary commands within the container running the service. This poses serious risks to critical infrastructure, particularly in the critical manufacturing sector where these systems are commonly deployed.
Rockwell Automation has addressed this vulnerability in software Version 1.40. Users of affected software versions who are unable to upgrade immediately are encouraged to implement security best practices where possible.
As of March 25, 2025, when this advisory was initially published, no known public exploitation specifically targeting this vulnerability has been reported to CISA.
