CVE-2025-1449

Admin Shell Access Vulnerability in Rockwell Automation Verve Asset Manager

Description

A vulnerability exists in the Rockwell Automation Verve Asset Manager due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.

Remediation

Solution:

Affected Product Affected Version(s) Corrected in Software Revision Verve Asset Manager <=1.39 V1.40

7.5

CVSS

Severity: High

CVSS 4.0 •

EPSS 0.06%

Affected: Rockwell Automation Verve Asset Manager

References

Link	Tags
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1723.html

Frequently Asked Questions

What is the severity of CVE-2025-1449?: CVE-2025-1449 has been scored as a high severity vulnerability.
How to fix CVE-2025-1449?: To fix CVE-2025-1449: Affected Product Affected Version(s) Corrected in Software Revision Verve Asset Manager <=1.39 V1.40
Is CVE-2025-1449 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-1449 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-1449?: CVE-2025-1449 affects Rockwell Automation Verve Asset Manager.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.