CVE-2025-13845 Overview
CVE-2025-13845 is a Use After Free (CWE-416) vulnerability affecting Schneider Electric Rapsody software. This memory corruption flaw can be exploited to achieve remote code execution when an end user imports a maliciously crafted project file (SSD file) into Rapsody. The vulnerability requires user interaction, specifically opening a weaponized project file, making it a potential vector for targeted attacks against industrial control system (ICS) operators and engineers.
Critical Impact
Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the target system with the privileges of the Rapsody application user, potentially compromising industrial automation environments.
Affected Products
- Schneider Electric Rapsody (specific versions detailed in vendor advisory)
Discovery Timeline
- 2026-01-15 - CVE-2025-13845 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-13845
Vulnerability Analysis
This vulnerability belongs to the Use After Free (UAF) class of memory corruption flaws. UAF vulnerabilities occur when a program continues to use a pointer after the memory it references has been freed. In the context of Rapsody, this condition is triggered during the parsing or processing of SSD project files.
When Rapsody processes a maliciously crafted SSD file, certain memory structures are freed prematurely while references to those structures remain active. An attacker can craft a specific SSD file that causes the application to reference this freed memory, which may have been reallocated for attacker-controlled data. This manipulation allows the attacker to hijack program execution flow and achieve arbitrary code execution.
The attack requires local access and user interaction, as the victim must manually import the malicious project file into the Rapsody application. This makes the vulnerability particularly suited for spear-phishing campaigns targeting ICS professionals.
Root Cause
The root cause is improper memory management within Rapsody's SSD file parsing routines. The application fails to properly track the lifecycle of dynamically allocated memory objects during project file import operations. When certain malformed or specially structured data elements are encountered in the SSD file, the parser may free memory objects while other parts of the code still hold references to them, creating a dangling pointer condition.
Attack Vector
The attack vector for CVE-2025-13845 is local, requiring the attacker to deliver a malicious SSD project file to the victim. Attack scenarios include:
- Spear-phishing campaigns - Sending malicious SSD files via email to ICS engineers and operators
- Compromised project repositories - Planting malicious project files in shared network locations
- Supply chain attacks - Embedding malicious content in seemingly legitimate project packages
The attacker must convince the victim to open the malicious file in Rapsody. Once opened, the Use After Free condition is triggered during file parsing, allowing the attacker to gain code execution with the privileges of the current user.
Detection Methods for CVE-2025-13845
Indicators of Compromise
- Unexpected SSD project files appearing in user directories or email attachments
- Rapsody application crashes or abnormal behavior during project file imports
- Unusual process spawning or network connections originating from the Rapsody process
- Memory access violations or application exceptions logged in Windows Event Viewer
Detection Strategies
- Monitor for unexpected SSD file downloads or email attachments targeting ICS personnel
- Deploy endpoint detection rules to identify anomalous behavior from the Rapsody process
- Implement file integrity monitoring on project directories to detect unauthorized file modifications
- Configure application whitelisting to prevent unauthorized code execution
Monitoring Recommendations
- Enable detailed logging for Rapsody application events and file operations
- Monitor network traffic for command-and-control communications following potential exploitation
- Establish baseline behavior for Rapsody processes to detect deviations indicating compromise
- Implement alerting for new or modified SSD files in monitored directories
How to Mitigate CVE-2025-13845
Immediate Actions Required
- Review and apply security patches from Schneider Electric as they become available
- Restrict SSD file imports to trusted sources only
- Educate users about the risks of opening unsolicited project files
- Implement network segmentation to isolate ICS engineering workstations
Patch Information
Schneider Electric has published a security notice addressing this vulnerability. Organizations should review the Schneider Electric Security Notice (SEVD-2026-013-04) for detailed patch and remediation information. Apply all vendor-recommended updates as soon as they are validated for your environment.
Workarounds
- Implement strict file screening procedures for all incoming SSD project files before opening them in Rapsody
- Use isolated virtual environments or sandboxed systems when opening project files from untrusted sources
- Configure email gateways to quarantine SSD file attachments for manual review
- Disable automatic file association for SSD files to prevent accidental opening
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
