Critical Rockwell NAT Router Flaw (CVE-2025-7328, CVSS 10.0) Allows Unauthenticated Admin Takeover

Rockwell Automation has published a new security advisory warning customers about three vulnerabilities affecting its 1783-NATR Network Address Translation (NAT) router, including one critical authentication bypass flaw that could allow full administrative takeover of affected devices.

The issues — tracked as CVE-2025-7328, CVE-2025-7329, and CVE-2025-7330 — impact firmware version 1.006 and prior, and are fixed in version 1.007 and later.

The 1783-NATR is a configurable NAT router designed to provide 1:1 IP address mapping between machine and control networks. It is widely used in industrial automation environments to simplify network segmentation and enable secure connectivity between controllers, HMIs, and enterprise systems.

However, according to Rockwell, multiple flaws could expose these critical devices to network-level attacks if left unpatched.

The most severe flaw, CVE-2025-7328, is rated CVSS 10.0. Rockwell warns that “multiple Broken Authentication security issues exist in the affected product” and that these stem from “missing authentication checks on critical functions.”

“These could result in potential denial-of-service, admin account takeover, or NAT rule modifications,” the advisory states. “Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. Admin account takeover could allow modification of configuration and require physical access to restore.”

In practical terms, this means that a remote attacker on the network could modify routing configurations, disrupt communications, or even gain administrative control of the router without proper authorization.

The second vulnerability, CVE-2025-7329, is a stored Cross-Site Scripting (XSS) issue with a CVSS score of 8.4.

“A Stored Cross-Site Scripting security issue exists in the affected product that could potentially allow a malicious user to view and modify sensitive data or make the webpage unavailable,” Rockwell noted.

The flaw arises from “missing special character filtering and encoding”, enabling an attacker to inject malicious JavaScript into configuration fields. Successful exploitation, however, requires access to the administrative interface.

The third vulnerability, CVE-2025-7330, concerns a Cross-Site Request Forgery (CSRF) condition in affected firmware versions.

According to Rockwell:

“The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged-in admin to visit a crafted link.”

This type of attack could be used to silently alter NAT configurations or disable security rules without the administrator’s knowledge.

Rockwell Automation strongly advises customers to upgrade to firmware version 1.007 or later to address all three vulnerabilities. The company confirmed that none of the CVEs are currently listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

For customers unable to patch immediately, Rockwell recommends following its security best practices, including network segmentation, restricting access to trusted hosts, and minimizing exposure of industrial devices to public networks.

Related Posts:

• Critical Vulnerabilities Found in Rockwell Automation FactoryTalk ThinManager
• High-Severity Flaws in Rockwell Arena Simulation Expose Industrial Systems to Memory Abuse
• GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover