Rockwell Automation has confirmed a remote injection vulnerability in its Stratix IOS that could allow unauthenticated attackers to upload and execute malicious configurations on industrial switches, earning a CVSS severity score of 9.6. The flaw, tracked as CVE-2025-7350, affects multiple Stratix switch families deployed worldwide in critical manufacturing environments, and both the vendor and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are urging immediate patching.
The Vulnerability at a Glance
CVE-2025-7350 is an injection vulnerability (CWE-74) stemming from improper neutralization of special elements in output used by a downstream component. It impacts Stratix IOS versions 15.2(8)E5 and prior, specifically on the Stratix 5410, 5700, and 8000 series. CISA’s advisory states that successful exploitation could allow an attacker to run malicious configurations without authentication, leading to a complete compromise of the affected device’s integrity and potentially enabling remote code execution.
The advisory carries two CVSS scores: a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and a CVSS v4 base score of 8.6 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). Both scores reflect high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required, making this an attractive target for threat actors.
Who Is Affected?
Any Stratix switch running Stratix IOS 15.2(8)E5 or earlier is vulnerable. Rockwell explicitly calls out the 5410, 5700, and 8000 series, but operators should treat all Stratix IOS-based devices as potentially affected unless confirmed otherwise. Given the shared Cisco IOS code base, similar vulnerabilities have historically rippled across multiple Stratix families.
Industrial networks rely on these switches for more than basic packet forwarding – they host management interfaces, participate in routing, time synchronization, and sometimes run process-aware features. Compromising one can disrupt entire production lines.
What Makes CVE-2025-7350 So Dangerous?
Industrial switches sit at the intersection of OT and IT, often with management interfaces exposed to corporate networks or remote access pathways. The vulnerability’s attributes – remotely exploitable, low attack complexity, no authentication required – mean that any reachable device is a potential entry point. Attackers could:
- Alter network forwarding or VLAN policies to intercept or reroute industrial traffic.
- Modify ACLs to enable lateral movement to previously isolated segments.
- Inject persistent, hard-to-detect configuration changes that survive reboots.
- Achieve full remote code execution depending on the device’s feature set.
Rockwell and CISA have stated that no known public exploitation has been reported at the time of the advisory, but the silence is not a guarantee of safety. The vulnerability’s characteristics make it highly likely to attract attention from both cybercriminals and nation-state actors targeting critical infrastructure.
Inside the Injection Flaw
The root cause lies in Cisco IOS code embedded within Stratix devices. This is not the first time a Cisco IOS vulnerability has bled into the Stratix product line. The advisory describes the ability to upload and execute attacker-supplied configurations without proper authentication, indicating a failure in input sanitization within the device’s management interfaces.
While full exploit details have not been released, the impact description suggests that a crafted payload can cause the device to accept and apply a malicious configuration. The exact post-exploit capabilities may vary by model and feature set, but even configuration-only manipulation can be catastrophic in an OT environment.
Mitigation: Patch and Protect
Rockwell’s fix is clear: upgrade to Stratix IOS 15.2(8)E6 or later. The updated firmware eliminates the vulnerability and should be deployed as soon as possible after validation. Operators must:
- Inventory all Stratix devices and record exact IOS builds.
- Download the correct 15.2(8)E6 image from Rockwell’s Product Compatibility and Download Center.
- Test the upgrade in a lab or non-critical segment to ensure compatibility with existing configurations and applications.
- Schedule phased rollouts with full configuration backups and rollback plans.
- Verify post-upgrade that the vulnerability is closed and that no regressions have occurred.
Hardening Your OT Network Now
If immediate patching isn’t feasible, CISA and Rockwell recommend a set of layered defenses:
- Isolate control networks: Remove all management interfaces from the internet. Place Stratix devices behind firewalls, logically and physically separate from business networks.
- Restrict management access: Limit admin access to trusted jump hosts only. Use strong authentication (SSH keys, TACACS+/RADIUS) and enforce multi-factor authentication where possible.
- Disable unused services: Turn off web UI, Telnet, and any unnecessary protocols. Restrict CLI access to a minimum.
- Harden remote access: If remote connectivity is required, use modern VPNs with MFA and endpoint posture checks. Ensure VPN gateways themselves are patched.
- Apply strict ACLs: Control which IP addresses can reach management interfaces and block malformed traffic patterns that might be used in exploitation attempts.
- Increase monitoring: Enable syslog and config-change alerts. Create detection rules for unexpected configuration uploads, VLAN modifications, or new user accounts.
How to Detect Exploitation Attempts
Because the vulnerability may manifest as unauthorized configuration changes, monitoring for anomalous administrative activity is key. Recommended detection measures include:
- Centralizing switch syslog and alerting on any configuration change events outside scheduled maintenance windows.
- Maintaining a baseline configuration hash for each device and regularly checking for deviations.
- Monitoring jump hosts and management workstations for suspicious file drops or script execution.
- Treating unusual CLI commands or web UI actions as high-priority incidents.
If an anomaly is detected:
- Isolate the affected device immediately but preserve forensic evidence.
- Collect running configuration, logs, and memory dumps before rebooting or reimaging.
- Engage Rockwell support and report the incident to CISA if it involves critical infrastructure.
The Bigger Picture for Industrial Security
CVE-2025-7350 underscores a persistent challenge in OT security: embedded systems often inherit vulnerabilities from upstream software components like Cisco IOS. When such flaws are discovered, they can affect a wide range of devices across multiple vendors, complicating patch management.
For asset owners, this is a rallying cry to maintain a real-time inventory of all connected OT assets, implement robust network segmentation, and adopt a defense-in-depth strategy that doesn’t rely solely on vendor patches. While the immediate action is to deploy 15.2(8)E6, the longer-term goal must be to minimize the attack surface through continuous hardening and monitoring.
Rockwell and CISA have provided the roadmap. Now it’s up to operators to execute with urgency – because in the world of industrial networking, a single unpatched switch can be the difference between business as usual and a costly production outage.