Vulnerabilities in Rexroth IndraWorks

Advisory Information

• Advisory ID: BOSCH-SA-591522
• CVE Numbers and CVSS v3.1 Scores:
  • CVE-2025-60035
    • Base Score: 7.8 (High)
  • CVE-2025-60036
    • Base Score: 7.8 (High)
  • CVE-2025-60037
    • Base Score: 7.8 (High)
  • CVE-2025-60038
    • Base Score: 7.8 (High)
• Published: 13 Feb 2026
• Last Updated: 13 Feb 2026

Summary

Trend Micro has identified multiple vulnerabilities in Rexroth IndraWorks which affect both, IndraWorks and utilities that are shipped as part of the package. In a worst case scenario, a successful attack leads to a remote code execution.

Affected Products

• Rexroth IndraWorks
  • CVE-2025-60035, CVE-2025-60036
    • Version(s): < 15V24
  • CVE-2025-60037, CVE-2025-60038
    • Version(s): all
• Rexroth UA.Testclient
  • CVE-2025-60036
    • Version(s): < 2.9.0

Solution and Mitigations

Solution

IndraWorks 15V24 will be released on 27.02.2026 and contains fixes for the following CVE:

• CVE-2025-60035

• CVE-2025-60036

For CVE-2025-60037 and CVE-2025-60038 updated versions of IndraWorks will become available later. This advisory will be updated as soon as those versions are available.

Users are strongly advised to update to IndraWorks 15V24 as soon as the updates become available. Please contact your sales partner for instructions on how to retrieve the update.

Starting with IndraWorks 15V24, UA.TestClient (affected by CVE-2025-60036) has been removed from the package entirely. Users of the application are advised to install the standalone package, which is available in the Collaboration Room. UA.TestClient 2.9.0 and higher contain the fixes for CVE-2025-60036.

Mitigation

Until updates become available and for use cases in which updates are not possible, the users are advised to only open and process files from trustworthy sources.

Vulnerability Details

CVE-2025-60035

CVE description: A vulnerability has been identified in the OPC.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user’s system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the OPC.Testclient.

• Problem Type:
  • CWE-502 Deserialization of Untrusted Data
• CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Base Score: 7.8 (High)

CVE-2025-60036

CVE description: A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user’s system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the UA.Testclient.

• Problem Type:
  • CWE-502 Deserialization of Untrusted Data
• CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Base Score: 7.8 (High)

CVE-2025-60037

CVE description: A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user’s system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

• Problem Type:
  • CWE-502 Deserialization of Untrusted Data
• CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Base Score: 7.8 (High)

CVE-2025-60038

CVE description: A vulnerability has been identified in Rexroth IndraWorks. This flaw allows an attacker to execute arbitrary code on the user’s system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running Rexroth IndraWorks.

• Problem Type:
  • CWE-502 Deserialization of Untrusted Data
• CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Base Score: 7.8 (High)

Remarks

Security Update Information

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

CVSS Scoring

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

• [1] Bosch Rexroth Advisory: https://www.boschrexroth.com/en/dc/product-security/security-advisories/

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

• 13 Feb 2026: Initial Publication

Appendix

Acknowledgement

The vulnerabilities have been uncovered and disclosed responsibly by Trend Micro . We thank them for making a responsible disclosure with us.