CVE-2025-7350 Overview
CVE-2025-7350 affects Rockwell Automation Stratix® 5410, 5700, and 8000 industrial network switches. These devices share underlying firmware components with Cisco platforms and inherit a security issue that allows attackers to upload and execute malicious configurations without authentication. Successful exploitation leads to remote code execution on operational technology (OT) infrastructure. The flaw is categorized under [CWE-74] for improper neutralization of special elements in output used by a downstream component (injection). Rockwell Automation published a security advisory tracking this issue as SD1745.
Critical Impact
Unauthenticated attackers can upload crafted configurations to Stratix switches over the network and achieve remote code execution on industrial control infrastructure.
Affected Products
- Rockwell Automation Stratix® 5410 Industrial Distribution Switches
- Rockwell Automation Stratix® 5700 Industrial Managed Switches
- Rockwell Automation Stratix® 8000 Modular Managed Switches
Discovery Timeline
- 2025-09-09 - CVE-2025-7350 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7350
Vulnerability Analysis
The vulnerability resides in the configuration handling logic shared between Cisco devices and the Stratix product line, which is OEM-derived from Cisco IOS-based platforms. An attacker reachable over the network can submit a malicious configuration file to the switch. The device processes the configuration without validating its source or contents against an authenticated session. This permits arbitrary code execution within the context of the switch operating system.
The issue maps to [CWE-74], reflecting injection of unsanitized content into a downstream component. The EPSS probability is 0.587% at the 69th percentile, indicating elevated near-term exploitation likelihood relative to the broader CVE population.
Root Cause
The root cause is missing authentication and input validation on a configuration ingestion code path. The firmware accepts and applies configuration data through a network-accessible interface without verifying caller identity or sanitizing parsed elements. Because configurations on these platforms can reference scripts, boot parameters, and service definitions, injecting attacker-controlled data into the parser yields code execution primitives.
Attack Vector
The attack vector is network-based with low complexity. An attacker requires no prior credentials but does require some user interaction in the CVSS 4.0 vector (UI:A). The adversary delivers a crafted configuration to the management interface of the Stratix switch. Upon parsing, the device executes attacker-controlled instructions. Refer to the Rockwell Automation Security Advisory SD1745 for vendor technical details.
Detection Methods for CVE-2025-7350
Indicators of Compromise
- Unexpected configuration changes or new boot variables on Stratix 5410, 5700, or 8000 switches.
- Inbound connections to switch management interfaces (HTTP, HTTPS, TFTP, SCP) from non-administrative hosts.
- New or modified user accounts, ACL entries, or SNMP communities appearing outside change windows.
- Outbound network traffic originating from the switch management plane to unfamiliar destinations.
Detection Strategies
- Compare running and startup configurations against a known-good baseline on a recurring schedule.
- Alert on configuration upload events that do not correlate with an authenticated administrative session in identity logs.
- Monitor syslog for unexpected archive or copy commands targeting running-config or startup-config.
- Inspect north-south traffic for configuration file transfers to OT switch management VLANs.
Monitoring Recommendations
- Forward switch syslog and AAA accounting records to a centralized SIEM for correlation.
- Enable NetFlow or equivalent on management VLANs to identify anomalous file transfer flows.
- Track firmware and configuration hashes across the Stratix fleet and alert on drift.
How to Mitigate CVE-2025-7350
Immediate Actions Required
- Inventory all Stratix 5410, 5700, and 8000 devices and identify firmware versions in scope of advisory SD1745.
- Apply the firmware update referenced in the Rockwell Automation advisory as soon as change windows permit.
- Restrict management plane access to a dedicated administrative VLAN reachable only from authorized jump hosts.
- Disable unused configuration transfer services such as TFTP and HTTP where they are not operationally required.
Patch Information
Rockwell Automation has published remediation guidance in advisory SD1745. Consult the Rockwell Automation Security Advisory for fixed firmware versions corresponding to each affected Stratix model and for any required upgrade prerequisites.
Workarounds
- Place Stratix switch management interfaces behind a firewall that permits traffic only from a documented administrator allowlist.
- Enforce ACLs on the switches that drop configuration protocol traffic from untrusted subnets.
- Require multi-factor authentication on the jump hosts used to administer OT switches until firmware patches are deployed.
- Segment OT and IT networks following IEC 62443 zone and conduit guidance to reduce reachable attack surface.
# Configuration example: restrict management access on Stratix (IOS-style)
ip access-list extended MGMT-ACL
permit tcp host 10.10.10.5 any eq 22
permit tcp host 10.10.10.5 any eq 443
deny ip any any log
!
line vty 0 15
access-class MGMT-ACL in
transport input ssh
!
no ip http server
no ip http secure-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
