CVE-2025-60035 Overview
A critical insecure deserialization vulnerability has been identified in the OPC.Testclient utility included with Bosch Rexroth IndraWorks. All versions prior to 15V24 are affected by this flaw, which allows an attacker to execute arbitrary code on a user's system by exploiting the parsing of manipulated files containing malicious serialized data. Successful exploitation requires user interaction—specifically, opening a specially crafted file—which triggers the application to deserialize the malicious payload, enabling Remote Code Execution (RCE).
Critical Impact
This vulnerability can lead to complete compromise of systems running OPC.Testclient, allowing attackers to gain full control over industrial workstations and potentially pivot to connected operational technology (OT) environments.
Affected Products
- Bosch Rexroth IndraWorks OPC.Testclient (all versions prior to 15V24)
- Industrial automation workstations running vulnerable OPC.Testclient versions
- Systems integrated with Rexroth IndraWorks engineering software
Discovery Timeline
- 2026-02-18 - CVE-2025-60035 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-60035
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data), a well-known class of vulnerabilities that occurs when applications deserialize data from untrusted sources without proper validation. In the context of OPC.Testclient, the application processes project or configuration files that contain serialized object data. When a user opens a maliciously crafted file, the deserialization routine instantiates attacker-controlled objects, leading to arbitrary code execution.
The local attack vector requires the attacker to deliver the malicious file to the victim through social engineering, email attachments, shared network drives, or supply chain compromise. Once the victim opens the file within OPC.Testclient, the malicious payload executes with the privileges of the user running the application.
Root Cause
The root cause of this vulnerability lies in the OPC.Testclient's failure to properly validate and sanitize serialized data before deserialization. The application trusts input from file contents implicitly, allowing an attacker to craft a file containing malicious serialized objects. When these objects are deserialized, they can trigger arbitrary method calls, instantiate dangerous classes, or execute system commands through gadget chains present in the application's class path.
Attack Vector
The attack requires user interaction—the victim must open a specially crafted file. An attacker would typically:
- Create a malicious file containing a serialized payload designed to exploit known gadget chains
- Deliver the file to the target via phishing emails, compromised network shares, or other social engineering techniques
- Convince the victim to open the file in OPC.Testclient
- Upon opening, the application deserializes the malicious content, executing arbitrary code with the user's privileges
The vulnerability affects industrial engineering environments where OPC.Testclient is commonly used for OPC server testing and development, making it a potential entry point into operational technology networks.
For detailed technical information on this vulnerability, refer to the Bosch Security Advisory BOSCH-SA-591522.
Detection Methods for CVE-2025-60035
Indicators of Compromise
- Unexpected process spawning from OPC.Testclient application (e.g., cmd.exe, powershell.exe, or unknown executables)
- Suspicious file access patterns involving newly downloaded or externally sourced project files
- Network connections initiated by OPC.Testclient to unexpected external IP addresses
- Unusual registry modifications or file system changes following file opening in OPC.Testclient
Detection Strategies
- Monitor for anomalous child processes spawned by OPC.Testclient using endpoint detection and response (EDR) solutions
- Implement file integrity monitoring on workstations running IndraWorks to detect unexpected file modifications
- Deploy behavioral analysis rules to flag deserialization-related exploitation patterns
- Configure email gateway scanning to detect and quarantine suspicious file attachments targeting industrial software
Monitoring Recommendations
- Enable detailed application logging for OPC.Testclient and forward logs to SIEM for correlation analysis
- Monitor for file downloads and executions of project files from untrusted sources on engineering workstations
- Implement network segmentation monitoring to detect lateral movement attempts from compromised engineering systems
- Review authentication logs for unusual access patterns to systems where OPC.Testclient is installed
How to Mitigate CVE-2025-60035
Immediate Actions Required
- Update Bosch Rexroth IndraWorks OPC.Testclient to version 15V24 or later immediately
- Restrict OPC.Testclient usage to trusted, verified project files only until patching is complete
- Implement application allowlisting to prevent unauthorized code execution from OPC.Testclient processes
- Conduct user awareness training to warn against opening untrusted project files
Patch Information
Bosch Rexroth has released IndraWorks version 15V24 which addresses this insecure deserialization vulnerability. Organizations should obtain the updated software through official Bosch Rexroth distribution channels. For complete patch details and download instructions, consult the Bosch Security Advisory BOSCH-SA-591522.
Workarounds
- Isolate engineering workstations running vulnerable OPC.Testclient versions from production OT networks
- Implement strict file source verification policies, only allowing project files from trusted internal sources
- Deploy endpoint protection solutions capable of detecting deserialization attacks and blocking malicious payloads
- Consider disabling or removing OPC.Testclient from workstations where it is not actively required until the patch can be applied
# Verify installed IndraWorks version and check for vulnerable OPC.Testclient
# Location may vary based on installation path
dir "C:\Program Files\Bosch Rexroth\IndraWorks\" /s | findstr "version"
# Restrict execution permissions for OPC.Testclient until patched (PowerShell)
# Note: Adjust path based on actual installation directory
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Restricted
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
