Rockwell Automation has patched a critical path traversal vulnerability in its AADvance‑Trusted SIS Workstation that could allow remote code execution on Windows engineering machines simply by opening a malicious zip file. The flaw, tracked as CVE‑2024‑48510, affects software versions 2.00.00 through 2.00.04 and was disclosed in a CISA advisory on November 13, 2025. The fix — upgrading to version 2.01.00 or later — closes a gap that could put safety instrumented systems at risk.

What the Vulnerability Actually Does

At its core, CVE‑2024‑48510 is a ZipSlip path traversal bug (CWE‑22) inside the DotNetZip library, which Rockwell embedded in its Workstation product. DotNetZip versions up to and including 1.16.0 mishandle extraction paths when unpacking specially crafted archive files. An attacker can encode file names to escape the intended destination folder and write files anywhere on the system — system directories, startup folders, or application binaries — without the user seeing anything suspicious.

Once a malicious file lands in a trusted location, the attacker can achieve arbitrary code execution the next time a user logs in, a scheduled task runs, or a service starts. The advisory lists a CVSS v3.1 base score of 8.8 and a CVSS v4 score of 8.6, reflecting a high‑severity threat that combines a remote attack vector, low complexity, and a complete impact on confidentiality, integrity, and availability.

How Attackers Can Reach Your Workstation

Exploitation requires a victim to open a booby‑trapped archive file — a common action in industrial environments where engineers regularly exchange project backups, import configuration archives, or review vendor‑supplied files. The advisory makes clear that no special privileges are needed on the attacker’s side, only that the vulnerable extraction logic is triggered.

Delivery methods mirror typical phishing and removable‑media vectors:
- An email attachment disguised as a vendor firmware update or a colleague’s project file.
- A shared network folder carrying a compromised zip archive.
- A USB drive handed to a technician during a site visit, containing what appears to be a legitimate backup.

Once the file is opened inside the AADvance Workstation, the DotNetZip extraction routine unwittingly places payloads outside the expected project directory. Because engineering workstations often run with elevated privileges for controller programming, the resulting code execution can quickly escalate to a full system compromise.

Who Is at Risk and What’s at Stake

This vulnerability directly affects facilities that use Rockwell’s Trusted® Series 8000 or AADvance® Series 9000 safety instrumented systems and rely on the AADvance‑Trusted SIS Workstation to design, configure, and manage safety logic. The impact falls into three distinct groups:

Control Systems Engineers and Plant Managers
The Workstation holds safety logic projects, controller credentials, and configuration files. An attacker who gains a foothold can modify safety logic, push unauthorized changes to controllers, or exfiltrate sensitive design documents. In the worst case, this could lead to unsafe operations or a forced plant shutdown.

IT and OT Security Teams
Engineering workstations often bridge the gap between corporate networks and isolated industrial control systems. A compromised AADvance host can serve as a pivot point to reach HMIs, PLCs, and other operational technology assets that are normally air‑gapped or heavily segmented. Lateral movement from a single infected workstation can unravel years of network segmentation work.

Windows Administrators Managing Engineering Hosts
These machines are frequently overlooked in patch cycles because safety‑critical software demands lengthy testing and validation. The resulting delay creates a long exposure window. Even before the patch is applied, Windows admins must harden these hosts against archive‑based attacks, knowing that user interaction is all it takes to detonate the exploit.

The Patch and When to Apply It

Rockwell Automation corrected the flaw in AADvance Workstation version 2.01.00 and explicitly states that this release replaces the vulnerable DotNetZip component. For anyone running version 2.00.00 through 2.00.04, upgrading is the only complete remediation.

Because SIS engineering suites must maintain exact compatibility with controller firmware and safety protocols, Rockwell recommends staging the update:

  1. Lab first: Deploy v2.01.00 in a non‑production test environment and confirm that existing projects open correctly, communication with controllers remains stable, and any custom scripts still function.
  2. Pilot group: Roll out to a small group of engineers who can verify day‑to‑day workflows.
  3. Full production: Schedule the upgrade across all engineering hosts, with rollback plans and verified project database backups.

The CISA advisory adds that no known public exploitation had been reported at the time of disclosure, but that absence does not replace urgency: attack code can appear quickly once a vulnerability is publicly cataloged.

If You Can’t Patch Immediately

For organizations that must delay deployment, Rockwell and CISA recommend a set of compensating controls:

  • Isolate engineering workstations: Place all AADvance hosts in a dedicated OT engineering VLAN with strict access control lists. Block inbound connections from business networks and the internet.
  • Restrict archive handling: Disallow opening project or backup files from untrusted sources. Enforce a policy that all third‑party archives must be scanned and validated before import.
  • Harden endpoints: Remove local administrator rights where possible, enable application whitelisting (AppLocker or Windows Defender Application Control), and configure EDR to flag unexpected file writes outside known project folders.
  • Strengthen email and web filters: Block or quarantine zip attachments from external senders, and require additional approval before an engineer can lift the quarantine.

How We Got Here: The Legacy Library Trap

DotNetZip was a popular open‑source .NET library for handling zip files, but it has been effectively unmaintained for years. The last official release, version 1.16.0, dates back more than a decade. Multiple path traversal flaws in its extraction logic have been reported over time, yet it remained embedded in countless enterprise and industrial products because swapping out a compression library is never as trivial as it sounds.

Rockwell’s AADvance Workstation inherited the library as a third‑party dependency, and the company only fully addressed the risk when the specific CVE‑2024‑48510 was brought to light. This is a textbook example of supply‑chain risk in ICS software: a defect in a long‑forgotten component can suddenly become a high‑severity exposure when a product processes untrusted input — in this case, zip files that engineers open without a second thought.

Action Plan for Windows Engineering Workstations

Beyond the patch itself, Windows administrators and OT security teams should treat the event as a trigger to review how engineering workstations are protected. Here is a concrete checklist:

  • Inventory every AADvance host: Record exact software versions, OS build numbers, and network segment. This list becomes the basis for patching and monitoring.
  • Segment aggressively: Confirm that engineering VLANs have no direct internet access and are firewalled off from the corporate LAN. Remote access should go through jump hosts with multi‑factor authentication.
  • Control file origins: Enforce signed project archives where feasible. If a project file arrives unsigned, require verification through a known channel before it is opened.
  • Deploy application whitelisting: A strict allow‑list of executable paths prevents a ZipSlip payload from ever running, even if it writes to disk. Focus on blocking execution from user‑writable directories and temporary folders.
  • Enable forensic logging: Collect process creation events, file write audits, and network connections from engineering hosts. Unexpected activity — a new process spawning from a zip extraction, or outbound connections to the internet — should trigger an immediate alert.
  • Prepare an incident response drill: Simulate a ZipSlip attack in a lab. Train engineering staff to recognize phishing lures and to never open unsolicited project archives without scanning.

What’s Next: Hardening Industrial Software Supply Chains

CVE‑2024‑48510 is not an isolated incident; it’s a reminder that industrial control system software often relies on legacy open‑source libraries that no longer receive security patches. For organizations that run engineering workstations on Windows, the long‑term play must include:

  • Software Bill of Materials (SBOM): Demand that vendors publish a list of third‑party components in every product release. Track those components and flag ones that have reached end‑of‑life.
  • Library replacement programs: When a product relies on an unmaintained library like DotNetZip, pressure the vendor to migrate to a supported alternative and to issue a security update that removes the dependency entirely.
  • Windows‑specific hardening baselines: Adopt Microsoft’s security baselines for engineering workstations, but extend them to cover the unique risks of ICS software — for example, restricting archive extraction to a sandboxed directory and disabling script execution from temporary folders.

Rockwell’s prompt release of version 2.01.00 shows that the vendor understands the stakes. The message for operators is equally clear: patch now, or if you can’t, lock down every other path an attacker might use to reach that workstation. A zip file should never be the thing that takes down a safety system.