Severity: 
                            
                            
                                        
                                        High
                                    
                                
                            
                                Advisory ID: 
                            
                            
                                PN1621
                            
                        
                                Data pubblicazione: 
                            
                            
                                May 09, 2023
                            
                        
                                Ultimo aggiornamento: 
                            
                            
                                September 08, 2025
                            
                        
                                Revision Number: 
                            
                            
                                1.0
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                No
                            
                        
                                Corrected: 
                            
                            
                                No
                            
                        
                                Workaround: 
                            
                            
                                No
                            
                        
                            CVE IDs
                        
                        
                                    CVE-2023-29460, 
                                    
                                
                            
                                
                                    CVE-2023-29462, 
                                    
                                
                            
                                
                                    
                                    CVE-2023-29461
                                
                            
                        
                    Riepilogo
                
                
                    Arena® Simulation – Multiple Vulnerabilities
                
            
Revision Number
1.1
Revision History
Version 1.0 - May 9, 2023
Version 1.1 - September 8, 2025 - Update for better readability
Affected Products
| Affected Product (automated) | First Known in Software Version | Corrected in Software Version | 
| Arena® Simulation Software | V16.00 | 16.20.01 | 
Security Issue Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.
CVE-2023-29460 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code to the software by using a memory buffer overflow.
CVE-2023-29460 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code to the software by using a memory buffer overflow.
CVSS Base Score: 7.8
 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
 CWE: CWE-119 Incorrect Restriction of Operations in the Memory BufferKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29461 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
 CWE: CWE-119 Incorrect Restriction of Operations in the Memory BufferKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29462 IMPACT
An arbitrary code execution seurity issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
 CWE: CWE-119 Incorrect Restriction of Operations in the Memory BufferKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software shoud use the below risk mitigations.
- Upgrade to 16.20.01 which has been patched to mitigate these issues.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Customer should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks..
Additional Resources
Glossary
Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Memory Buffer Overflow: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior
Copyright ©2022 Rockwell Automation, Inc.