CVE-2025-7350 Overview
CVE-2025-7350 is a high-severity vulnerability affecting Rockwell Automation Stratix® 5410, 5700, and 8000 industrial switches. The flaw originates in shared Cisco IOS code used by these devices. An unauthenticated remote attacker can upload and execute malicious configuration data, leading to arbitrary code execution on the device. The issue is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as Injection).
Critical Impact
Successful exploitation grants attackers remote code execution on Stratix industrial switches without authentication, exposing operational technology (OT) networks to disruption, lateral movement, and process manipulation.
Affected Products
- Rockwell Automation Stratix 5410 Industrial Distribution Switch
- Rockwell Automation Stratix 5700 Industrial Managed Ethernet Switch
- Rockwell Automation Stratix 8000 Modular Managed Ethernet Switch
Discovery Timeline
- 2025-09-09 - CVE-2025-7350 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7350
Vulnerability Analysis
The vulnerability allows an unauthenticated network-based attacker to deliver a crafted configuration payload to the affected Stratix switch. Because the device processes the uploaded configuration without enforcing authentication or properly neutralizing embedded directives, attacker-controlled content reaches a downstream interpreter on the device. The result is arbitrary code execution within the switch operating environment.
The flaw inherits from the underlying Cisco IOS code base shared with the Stratix product line. Rockwell Automation has confirmed that Stratix 5410, 5700, and 8000 switches are directly impacted. Exploitation requires user action according to the CVSS 4.0 vector, indicating that the attack chain depends on an operator triggering or accepting a configuration update path.
Root Cause
The root cause is an injection weakness [CWE-74] in the configuration handling logic. The device fails to neutralize special elements within uploaded configuration files before passing them to a downstream component. This allows attacker-supplied directives to be interpreted as executable instructions rather than inert data.
Attack Vector
The attack vector is network-based. An attacker capable of reaching the management interface of a Stratix switch, or who can coerce an administrator to load a malicious configuration, can deliver the payload. Because the operation does not require prior authentication, any reachable management plane represents an exposure point. Industrial networks where switches share VLANs with engineering workstations or expose management interfaces to flat networks are at heightened risk.
See the Rockwell Automation Security Advisory SD1745 for vendor-specific technical details. No public proof-of-concept code is currently available.
Detection Methods for CVE-2025-7350
Indicators of Compromise
- Unexpected configuration file uploads or copy operations targeting Stratix 5410, 5700, or 8000 switches outside maintenance windows.
- New or modified administrator accounts, unexpected aaa directives, or unauthorized changes to access control lists in device running-config.
- Outbound connections from switch management IPs to unknown external hosts, indicating possible post-exploitation beaconing.
- Syslog entries showing configuration changes from unauthenticated or unfamiliar source addresses.
Detection Strategies
- Baseline running-config and startup-config hashes for every Stratix device and alert on deviation.
- Forward switch syslog and AAA accounting records to a centralized SIEM, then correlate configuration-change events with authenticated administrator sessions.
- Monitor TFTP, FTP, SCP, and HTTP(S) file transfers to switch management interfaces for unauthorized sources.
Monitoring Recommendations
- Enable command accounting and archive log config on Stratix devices to capture every configuration change with timestamps.
- Inspect network flows between IT and OT segments for management protocol traffic that crosses trust boundaries.
- Audit privileged account use against change-management tickets to detect unauthorized configuration pushes.
How to Mitigate CVE-2025-7350
Immediate Actions Required
- Restrict management plane access to Stratix 5410, 5700, and 8000 switches using infrastructure ACLs and dedicated out-of-band management networks.
- Disable unused configuration upload services such as TFTP and HTTP on affected devices.
- Enforce strong AAA with TACACS+ or RADIUS, and require multi-factor authentication for administrator workstations.
- Review device configurations and audit logs for evidence of unauthorized changes since publication.
Patch Information
Refer to the Rockwell Automation Security Advisory SD1745 for the current list of fixed firmware versions for Stratix 5410, 5700, and 8000 platforms. Apply the vendor-supplied firmware update during the next available maintenance window, prioritizing devices with exposed management interfaces.
Workarounds
- Segment Stratix switches into a dedicated management VLAN unreachable from production user networks until firmware is updated.
- Apply control plane policing and management plane protection to limit which source addresses can reach configuration services.
- Require operators to validate firmware and configuration file integrity using vendor-published hashes before any upload.
- Block management protocol traffic at the IT/OT boundary using firewall rules aligned with the Purdue model.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
