Login Sign Up

CVE-2020-25176

9.1 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-25176 is a directory traversal vulnerability in Rockwell Automation ISaGRAF Runtime that allows remote, unauthenticated attackers to access arbitrary files on the system. This affects versions 4.x and 5.x of the ISaGRAF Runtime when using the eXchange Layer (IXL) protocol. Successful exploitation could lead to remote code execution.

💻 Affected Systems

Products:
  • Rockwell Automation ISaGRAF Runtime
Versions: 4.x and 5.x
Operating Systems: Various (embedded systems running ISaGRAF)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems using the eXchange Layer (IXL) protocol. Also impacts Schneider Electric and Xylem products that incorporate ISaGRAF Runtime.

📦 What is this software?

Aadvance Controller by Rockwellautomation

View all CVEs affecting Aadvance Controller →

Easergy C5 Firmware by Schneider Electric

View all CVEs affecting Easergy C5 Firmware →

Easergy T300 Firmware by Schneider Electric

View all CVEs affecting Easergy T300 Firmware →

Epas Gtw Firmware by Schneider Electric

View all CVEs affecting Epas Gtw Firmware →

Epas Gtw Firmware by Schneider Electric

View all CVEs affecting Epas Gtw Firmware →

Isagraf Free Runtime by Rockwellautomation

View all CVEs affecting Isagraf Free Runtime →

Isagraf Runtime by Rockwellautomation

View all CVEs affecting Isagraf Runtime →

Micom C264 Firmware by Schneider Electric

View all CVEs affecting Micom C264 Firmware →

Micro810 Firmware by Rockwellautomation

View all CVEs affecting Micro810 Firmware →

Micro820 Firmware by Rockwellautomation

View all CVEs affecting Micro820 Firmware →

Micro830 Firmware by Rockwellautomation

View all CVEs affecting Micro830 Firmware →

Micro850 Firmware by Rockwellautomation

View all CVEs affecting Micro850 Firmware →

Micro870 Firmware by Rockwellautomation

View all CVEs affecting Micro870 Firmware →

Multismart Firmware by Xylem

View all CVEs affecting Multismart Firmware →

Pacis Gtw Firmware by Schneider Electric

View all CVEs affecting Pacis Gtw Firmware →

Pacis Gtw Firmware by Schneider Electric

View all CVEs affecting Pacis Gtw Firmware →

Pacis Gtw Firmware by Schneider Electric

View all CVEs affecting Pacis Gtw Firmware →

Pacis Gtw Firmware by Schneider Electric

View all CVEs affecting Pacis Gtw Firmware →

Pacis Gtw Firmware by Schneider Electric

View all CVEs affecting Pacis Gtw Firmware →

Saitel Dp Firmware by Schneider Electric

View all CVEs affecting Saitel Dp Firmware →

Saitel Dr Firmware by Schneider Electric

View all CVEs affecting Saitel Dr Firmware →

Scd2200 Firmware by Schneider Electric

View all CVEs affecting Scd2200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote, unauthenticated attacker gains full system control through remote code execution, potentially compromising industrial control systems.

🟠

Likely Case

Attackers read sensitive files, modify configurations, or deploy malware to disrupt industrial operations.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to vulnerable systems.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing systems extremely vulnerable.
🏢 Internal Only: HIGH - Even internally, unauthenticated access allows lateral movement within networks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Directory traversal vulnerabilities are typically easy to exploit once the attack vector is understood. No public exploit code found in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6.0 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699

Restart Required: Yes

Instructions:

1. Download ISaGRAF Runtime Version 6.0 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the updated version following vendor instructions. 4. Restart the system. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate ISaGRAF systems from untrusted networks using firewalls.

Disable IXL Protocol

all

If not required, disable the eXchange Layer (IXL) protocol entirely.

🧯 If You Can't Patch

  • Implement strict network access controls to limit connections to ISaGRAF systems only from trusted sources.
  • Deploy intrusion detection systems to monitor for directory traversal attempts and anomalous file access patterns.

🔍 How to Verify

Check if Vulnerable:

Check ISaGRAF Runtime version. If using versions 4.x or 5.x with IXL protocol enabled, the system is vulnerable.

Check Version:

Check version through ISaGRAF management interface or system documentation (vendor-specific command varies by deployment).

Verify Fix Applied:

Verify ISaGRAF Runtime version is 6.0 or later and confirm IXL protocol configuration if still enabled.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns via IXL protocol
  • Directory traversal strings in logs (e.g., '../', '..\')

Network Indicators:

  • Unexpected connections to ISaGRAF IXL ports (typically TCP 1962)
  • Anomalous traffic patterns to/from industrial control systems

SIEM Query:

source="isagraf_logs" AND (message="*../*" OR message="*..\\*")

📊 Metadata

CVE ID: CVE-2020-25176
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-23
Published: March 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25176, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)