What is CVE-2025-41236 and how severe is it?

CVE-2025-41236 (CVSS score 9.4) is an out-of-bounds write vulnerability in the VMXNET3 virtual network adapter. This critical severity flaw could allow attackers to write data beyond allocated memory boundaries, potentially leading to system compromise, denial of service, or arbitrary code execution in virtualized environments.

What are CVE-2025-41237 and CVE-2025-41238?

CVE-2025-41237 (CVSS score 9.4) is an out-of-bounds write vulnerability in the Virtual Machine Communication Interface, while CVE-2025-41238 (CVSS score 9.4) is an out-of-bounds write vulnerability in the Paravirtualized SCSI controller. Both are critical severity flaws that could enable attackers to compromise virtualized industrial control systems through memory corruption.

How were these Rockwell Automation vulnerabilities discovered?

These vulnerabilities were originally reported as VMware vulnerabilities through offensive research at the Pwn2Own 2025 competition. Pwn2Own is a major cybersecurity competition where researchers demonstrate zero-day exploits against popular software and systems, helping identify critical security flaws that need immediate attention.

Which Rockwell Automation products are affected by these vulnerabilities?

Affected products include all generations of Industrial Data Center (IDC) with VMware (Generations 1-4), both Series A and B of VersaVirtual Appliance (VVA) with VMware, all versions of Threat Detection Managed Services (TDMS) with VMware, all versions of Endpoint Protection Service with Rockwell Automation Proxy and VMware, and all Engineered and Integrated Solutions with VMware.

What is CVE-2025-41239 and how does it differ from the others?

CVE-2025-41239 (CVSS score 8.2) is a Use of Uninitialized Resource vulnerability in vSockets. While still high severity, it has a lower CVSS score than the out-of-bounds write vulnerabilities. This type of flaw occurs when software uses resources that haven't been properly initialized, potentially leading to information disclosure or system instability.

How does remediation work for organizations with Rockwell Automation service contracts?

For organizations with active Rockwell Automation Infrastructure Managed Service contracts or Threat Detection Managed Service contracts, Rockwell Automation will directly contact impacted users to discuss remediation efforts. This provides personalized support for patching and securing affected industrial systems.

What should organizations without Rockwell service contracts do?

Organizations without managed services contracts are directed to refer to Broadcom's security advisories and apply updates to VMware ESXi. Patches are available in VMware ESXi versions 8.0u3f, 8.0u2e, and 7.0u3w, which address these critical vulnerabilities.

Why are out-of-bounds write vulnerabilities particularly dangerous?

Out-of-bounds write vulnerabilities are particularly dangerous because they allow attackers to write data beyond allocated memory boundaries. In virtualized industrial environments, this could lead to system compromise, arbitrary code execution, denial of service, or escape from virtual machine isolation, potentially affecting critical industrial control systems.

What is the relationship between VMware and Rockwell Automation in these vulnerabilities?

These are fundamentally VMware vulnerabilities that affect Rockwell Automation's industrial products because they rely on VMware virtualization technology. Rockwell Automation's Lifecycle Services use VMware components like VMXNET3 network adapters and SCSI controllers, making them vulnerable to the underlying VMware security flaws.

What immediate actions should organizations take about these vulnerabilities?

Organizations should immediately assess whether they have affected Rockwell Automation products with VMware, check their service contract status to determine the appropriate remediation path, apply available VMware ESXi patches if managing systems independently, monitor for any suspicious activity on affected systems, and contact Rockwell Automation or Broadcom for specific guidance based on their configuration.

What makes these vulnerabilities particularly concerning for industrial environments?

These vulnerabilities are particularly concerning for industrial environments because they affect virtualized industrial control systems and critical infrastructure components. Successful exploitation could disrupt manufacturing processes, compromise industrial data centers, affect threat detection capabilities, or provide attackers with access to sensitive industrial operations and control systems.

Advisory

Rockwell Automation patches critical VMware components in Rockwell Automation Lifecycle Services

published: July 31, 2025

Take action: If you have Rockwell Automation systems running on VMware (IDC, VVA, TDMS, etc.), contact Rockwell immediately if you have a managed services contract, or plan to apply the latest VMware/Broadcom security patches yourself if you don't. These vulnerabilities require local system access to exploit, so be very careful what you load as images on the Rockwell system. Make sure the system is isolated to trusted networks only and restrict physical and remote access to authorized personnel only.

Learn More

CISA is reporting multiple critical security vulnerabilities affecting Rockwell Automation's Lifecycle Services with VMware.

These vulnerabilities are originally reported as VMware vulnerabilities through offensive research at the Pwn2Own 2025 competition.

Vulnerability summary:

CVE-2025-41236 (CVSS score: 9.4) - Out-of-bounds Write in VMXNET3 virtual network adapter
CVE-2025-41237 (CVSS score: 9.4) - Out-of-bounds Write in Virtual Machine Communication Interface
CVE-2025-41238 (CVSS score: 9.4) - Out-of-bounds Write in Paravirtualized SCSI controller
CVE-2025-41239 (CVSS score: 8.2) - Use of Uninitialized Resource in vSockets

Affected versions:

All generations of Industrial Data Center (IDC) with VMware (Generations 1-4)
both Series A and B of VersaVirtual Appliance (VVA) with VMware
all versions of Threat Detection Managed Services (TDMS) with VMware
all versions of Endpoint Protection Service with Rockwell Automation Proxy and VMware,
all Engineered and Integrated Solutions with VMware are affected by these security flaws.

The remediation approach varies based on customer service contracts with Rockwell Automation. For organizations with active Rockwell Automation Infrastructure Managed Service contracts or Threat Detection Managed Service contracts, the company will directly contact impacted users to discuss remediation efforts. Organizations without managed services contracts are directed to refer to Broadcom's security advisories and apply updates to VMware ESXi, including patches available in versions 8.0u3f, 8.0u2e, and 7.0u3w.

Rockwell Automation patches critical VMware components in Rockwell Automation Lifecycle Services

Read More
Multiple vulnerabilities in Siemens User Management Component affect …
Over 70 CODESYS Vulnerabilities Reported in Festo Automation …
Multiple critical vulnerabilities reported in Festo industrial controllers
Multiple vulnerabilities reported in METZ CONNECT EWIO2 Industrial …
Critical authentication flaw in Siemens SIMATIC ET 200SP …