Four memory corruption bugs in Rockwell Automation's Arena simulation software could let an attacker execute arbitrary code — no network access required, just a booby-trapped file.
CISA published an advisory on July 16 covering CVE-2026-8085, CVE-2026-8312, CVE-2026-8313, and CVE-2026-8314. All four are out-of-bounds write flaws (CWE-787) scattered across separate components of Arena's Siman engine: model.exe, expmt.exe, linker.exe, and siman.exe. Every version up to and including V17.00.00 is affected. The attack path is the same in each case — a user opens a malicious file, the software fails to validate the input, memory gets clobbered, and the attacker's code runs. CVSS v3 scores land at 7.8 (High) across the board. Researcher Michael Heinzl reported all four to CISA. The fix is V17.00.01.
Arena is discrete-event simulation software used in critical manufacturing environments — factories and production lines where simulation outputs inform real operational decisions. Four separate executable components sharing the same class of memory bug suggests a systemic input-validation gap in the Siman engine, not four isolated oversights. That's worth noting before anyone assumes a single patch is the end of the story.
Rockwell's guidance is to update immediately, isolate control-system networks behind firewalls, and avoid direct internet exposure — advice that applies to essentially every ICS deployment and shouldn't need repeating in 2026, yet apparently still does.