CVE-2025-1449 (CVSS 9.1): Vulnerability in Verve Asset Manager Allows Admin Shell Access
do son 
Rockwell Automation has released a security advisory addressing a vulnerability in Verve Asset Manager. The advisory details a flaw that could allow a threat actor with administrative access to execute arbitrary commands.
The vulnerability, tracked as CVE-2025-1449, affects Verve Asset Manager versions up to and including 1.39. The issue has been corrected in software revision V1.40. The vulnerability has a CVSS Base Score v3.1 of 9.1, indicating its critical severity.
The root cause of the vulnerability is “insufficient variable sanitizing” within a specific part of the administrative web interface. This interface is related to Verve’s Legacy Agentless Device Inventory (ADI) capability, which has been deprecated since the 1.36 release.
According to the advisory, successful exploitation of this vulnerability could enable a threat actor with administrative access to “run arbitrary commands in the context of the container running the service.”
Rockwell Automation advises customers who cannot immediately upgrade to the corrected software version to apply general security best practices. However, the advisory emphasizes that upgrading to V1.40 is the ultimate solution.
