CVE-2025-1449 – Admin Shell Access Vulnerability in Rockwell Automation Verve Asset Manager

https://notcve.org/view.php?id=CVE-2025-1449

31 Mar 2025 — A vulnerability exists in the Rockwell Automation Verve Asset Manager due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1723.html •