Vulnerabilities in Rexroth IndraWorks

BOSCH-SA-591522

Advisory Information

Advisory ID: BOSCH-SA-591522
CVE Numbers and CVSS v3.1 Scores:
- CVE-2025-60035
  - Base Score: 7.8 (High)
- CVE-2025-60036
  - Base Score: 7.8 (High)
- CVE-2025-60037
  - Base Score: 7.8 (High)
- CVE-2025-60038
  - Base Score: 7.8 (High)
Published: 13 Feb 2026
Last Updated: 27 Feb 2026

Summary

Trend Micro has identified multiple vulnerabilities in Rexroth IndraWorks which affect both, IndraWorks and utilities that are shipped as part of the package. In a worst case scenario, a successful attack leads to a remote code execution.

Affected Products

Rexroth IndraWorks
- CVE-2025-60035, CVE-2025-60036
  - Version(s): < 15V24
- CVE-2025-60037, CVE-2025-60038
  - Version(s): all
Rexroth OPC DA Client
- CVE-2025-60035
  - Version(s): < v33.0.0.0
Rexroth UA.TestClient
- CVE-2025-60036
  - Version(s): < 2.9.0

Solution and Mitigations

Solution

A bugfix for CVE-2025-60035 (OPC DA Client) has been made available in the downloads area of Bosch Rexroth.
A bugfix for CVE-2025-60036 (UA.TestClient) has been made available in the Collaboration Rooms of Bosch Rexroth.

Users of each application are strongly advised to download the standalone package and to replace the vulnerable version in the IndraWorks installation folder.

IndraWorks 15V24 will be shipped with an OPC DA Client version that is not affected by the vulnerability. Please note that starting with IndraWorks 15V24, UA.TestClient has been removed from the package entirely.

Mitigation

To maintain backwards compatibility with prior versions of IndraWorks, CVE-2025-60037 and CVE-2025-60038 cannot be resolved. To be affected by this vulnerability, a user must import a file that has been manipulated by an attacker. Therefore, users of IndraWorks are advised to only open and process files from trustworthy sources.

Vulnerability Details

CVE-2025-60035

CVE description: A vulnerability has been identified in the OPC DA Client utility, which is included in Rexroth IndraWorks and available as a separate download. All versions prior to v33.0.0.0 and included in IndraWorks prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user’s system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the OPC DA Client.

Problem Type:
- CWE-502 Deserialization of Untrusted Data
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Base Score: 7.8 (High)

CVE-2025-60036

CVE description: A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user’s system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the UA.TestClient.

Problem Type:
- CWE-502 Deserialization of Untrusted Data
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Base Score: 7.8 (High)

CVE-2025-60037

CVE description: A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user’s system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

Problem Type:
- CWE-502 Deserialization of Untrusted Data
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Base Score: 7.8 (High)

CVE-2025-60038

Problem Type:
- CWE-502 Deserialization of Untrusted Data
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Base Score: 7.8 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

[1] Bosch Rexroth Advisory: https://www.boschrexroth.com/en/dc/product-security/security-advisories/
[2] Bosch Rexroth OPC DA Client: https://www.boschrexroth.com/de/de/media-details/2f969694-b755-407f-9d02-8f86aee0e98c
[3] Bosch Rexroth UA.TestClient: https://www.boschrexroth.com/de/de/myrexroth/collaboration/collaboration-rooms/?path=/Ctrlx-Automation/ctrlX_eShop/ctrlX%20CORE%20-%20OPC%20UA%20Apps

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

27 Feb 2026: Update as patch is available
13 Feb 2026: Initial Publication

Appendix

Acknowledgement

The vulnerabilities have been uncovered and disclosed responsibly by Trend Micro . We thank them for making a responsible disclosure with us.