Enhancing Rockwell Automation Lifecycle Services with Veeam Backup and Replication

Enhancing Rockwell Automation Lifecycle Services with Veeam Backup and Replication

1. EXECUTIVE SUMMARY

The integration of Veeam Backup and Replication into Rockwell Automation’s Lifecycle Services has introduced a significant vulnerability, identified as CVE-2025-23120, which poses a critical risk to users. With a CVSS v4 score of 9.4, this vulnerability allows for remote exploitation with low attack complexity, potentially enabling attackers to execute arbitrary code on affected systems. This report provides a comprehensive analysis of the vulnerability, its implications for critical infrastructure, and recommended mitigation strategies.

2. RISK EVALUATION

The successful exploitation of CVE-2025-23120 could allow an attacker with administrative privileges to execute code on the target system. This level of access can lead to severe consequences, including data breaches, system outages, and potential manipulation of industrial processes. Given the critical nature of the sectors utilizing Rockwell Automation’s services, the implications of such an attack could extend beyond individual organizations to impact broader supply chains and public safety.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation has identified the following products as affected by this vulnerability:

• Industrial Data Center (IDC) with Veeam: Generations 1 – 5
• VersaVirtual Appliance (VVA) with Veeam: Series A – C

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The vulnerability stems from a deserialization flaw in Veeam Backup and Replication, which is utilized by the affected Rockwell Automation products. Deserialization of untrusted data can lead to remote code execution, allowing attackers to manipulate the system’s behavior. The CVSS v3.1 base score of 9.9 indicates a critical level of risk, while the CVSS v4 score of 9.4 further emphasizes the urgency of addressing this vulnerability.

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation proactively reported this vulnerability to the Cybersecurity and Infrastructure Security Agency (CISA), demonstrating a commitment to transparency and user safety.

4. MITIGATIONS

For users with an active Rockwell Automation Infrastructure Managed Service contract, the company will reach out to discuss necessary remediation actions. For those without such a contract, the following resources are available:

• Support Content Notification – Support Portal – Veeam support portal
• Veeam Backup & Replication CVE-2025-23120

Users unable to upgrade to corrected versions are encouraged to apply security best practices where feasible.

CISA recommends several defensive measures to minimize the risk of exploitation:

• Minimize network exposure: Ensure control system devices are not accessible from the Internet.
• Isolate networks: Place control system networks behind firewalls, separating them from business networks.
• Secure remote access: Use VPNs for remote access, while recognizing their potential vulnerabilities.

Organizations should conduct thorough impact analyses and risk assessments before implementing defensive measures. CISA also provides a range of resources for best practices in securing industrial control systems, which can be found on their ICS webpage.

Organizations observing suspicious activity are encouraged to report findings to CISA for tracking and correlation with other incidents. Additionally, CISA advises users to protect against social engineering attacks by following these guidelines:

• Avoid unsolicited emails: Do not click links or open attachments in unsolicited messages.
• Educate on email scams: Refer to Recognizing and Avoiding Email Scams.
• Understand social engineering: Consult Avoiding Social Engineering and Phishing Attacks for more information.

As of now, no public exploitation specifically targeting this vulnerability has been reported to CISA.

5. UPDATE HISTORY

• April 1, 2025: Initial Republication of Rockwell Automation SD1724

CONCLUSION

The vulnerability associated with Rockwell Automation’s Lifecycle Services and Veeam Backup and Replication underscores the critical need for robust cybersecurity measures in industrial environments. As organizations increasingly rely on digital solutions for operational efficiency, the potential risks associated with vulnerabilities like CVE-2025-23120 must be taken seriously. By implementing recommended mitigations and maintaining vigilance against emerging threats, organizations can better protect their critical infrastructure and ensure the integrity of their operations.