CVE-2025-3288: 
Rockwell Automation Arena vulnerability analysis and mitigation

A local code execution vulnerability (CVE-2025-3288) was discovered in Rockwell Automation Arena® software, affecting versions 16.20.08 and prior. The vulnerability was disclosed on April 8, 2025, and is related to improper validation of user-supplied data that allows a threat actor to read outside of the allocated memory buffer (CISA, NVD).

The vulnerability is classified as an out-of-bounds read (CWE-125) vulnerability. It has received a CVSS v4.0 base score of 8.5 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 7.8 with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Rockwell Advisory).

If successfully exploited, this vulnerability allows an attacker to disclose information and execute arbitrary code on the system. The attack requires local access and user interaction, specifically opening a malicious DOE file (CISA).

Rockwell Automation recommends users upgrade to version 16.20.09 or later to address this vulnerability. No workarounds are available for this issue (Rockwell Advisory).