CVE-2025-11696
📋 TL;DR
A local server-side request forgery vulnerability in Studio 5000 Simulation Interface allows any Windows user on the system to trigger outbound SMB requests, potentially enabling NTLM hash capture. This affects systems running vulnerable versions of the software, primarily in industrial control environments.
💻 Affected Systems
- Studio 5000 Simulation Interface
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture NTLM hashes, perform pass-the-hash attacks to gain elevated privileges, and potentially compromise the entire industrial control system.
Likely Case
Local attackers capture NTLM hashes from the system account running Studio 5000 Simulation Interface, enabling lateral movement within the network.
If Mitigated
With proper network segmentation and SMB restrictions, impact is limited to the local system with no credential exposure.
🎯 Exploit Status
Exploitation requires local Windows user access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.05.00
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1760.html
Restart Required: Yes
Instructions:
1. Download Studio 5000 Simulation Interface v4.05.00 from Rockwell Automation. 2. Install the update following vendor instructions. 3. Restart the system.
🔧 Temporary Workarounds
Restrict SMB Outbound Traffic
windowsBlock outbound SMB traffic from affected systems to prevent NTLM hash capture.
New-NetFirewallRule -DisplayName "Block SMB Outbound" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block
Implement SMB Signing
windowsRequire SMB signing to prevent NTLM relay attacks even if hashes are captured.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical assets
- Apply principle of least privilege and monitor for unusual SMB outbound connections
🔍 How to Verify
Check if Vulnerable:
Check Studio 5000 Simulation Interface version - if below v4.05.00, system is vulnerable.Check Version:
Check the software version in Studio 5000 Simulation Interface application or Windows Programs and FeaturesVerify Fix Applied:
Verify version is v4.05.00 or higher and test that SMB outbound requests cannot be triggered via the API.📡 Detection & Monitoring
Log Indicators:
- Unusual SMB outbound connections from Studio 5000 Simulation Interface process
- API calls to trigger external requests
Network Indicators:
- SMB traffic from Studio 5000 Simulation Interface systems to unexpected destinations
- NTLM authentication attempts from affected systems
SIEM Query:
source="windows" AND (process="Studio5000SimulationInterface.exe" AND destination_port=445)