Studio 5000 Logix Designer® – Multiple Vulnerabilities
Summary
| CVE | CVE-2026-9128 |
|---|---|
| State | PUBLISHED |
| Assigner | Rockwell |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-14 16:17:05 UTC |
| Updated | 2026-07-14 16:46:49 UTC |
| Description | A code execution security issue exists within Studio 5000 Logix Designer® due to an unquoted search path in the External Tools configuration. The executable paths specified in the external tools configuration file are not properly quoted, and because these paths contain spaces, the operating system may resolve them to unintended executables placed earlier in the search order. If exploited, an attacker could plant a malicious executable in a location within the search path, resulting in arbitrary code execution with the same permissions of the user running the application. |
Risk And Classification
Primary CVSS: v4.0 7.3 HIGH from [email protected]
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-428 | CWE-428 CWE-428: Unquoted Search Path or Element
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.3 | HIGH | CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 7.3 | HIGH | CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
HighAttack Requirements
PresentPrivileges Required
LowUser Interaction
ActiveConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Rockwell Automation | Studio 5000 Logix Designer | affected V35.00, 34.00-34.02, 33.00-33.02, 32.00-32.04 and older | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1783.html | [email protected] | www.rockwellautomation.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.