CVE-2025-14377 - Vulnerability Details - OpenCVE

A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Rockwellautomation	Verve Asset Manager

No data.

No data.

References

Link	Providers
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html

History

Wed, 21 Jan 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rockwellautomation Rockwellautomation verve Asset Manager
Vendors & Products		Rockwellautomation Rockwellautomation verve Asset Manager

Tue, 20 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.
Title		Verve Asset Manager – Plaintext Storage Vulnerabilities
Weaknesses		CWE-312
References		https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html
Metrics		cvssV4_0 `{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: Rockwell

Published: 2026-01-20T13:21:40.649Z

Updated: 2026-01-20T16:09:48.026Z

Reserved: 2025-12-09T19:02:29.784Z

Link: CVE-2025-14377

Vulnrichment

Updated: 2026-01-20T16:09:44.352Z

NVD

Status : Received

Published: 2026-01-20T14:16:07.510

Modified: 2026-01-20T14:16:07.510

Link: CVE-2025-14377

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14377", "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0", "state": "PUBLISHED", "assignerShortName": "Rockwell", "dateReserved": "2025-12-09T19:02:29.784Z", "datePublished": "2026-01-20T13:21:40.649Z", "dateUpdated": "2026-01-20T16:09:48.026Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Verve Asset Manager", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "1.33 1.34 1.35 1.36 1.37 1.38 1.39 1.40 1.41 1.41.1 1.41.2 1.41.3"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>"}], "value": "A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b73dd486-f505-4403-b634-40b078b177f0", "shortName": "Rockwell", "dateUpdated": "2026-01-20T13:21:54.152Z"}, "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Fully removed in 1.42 (Optional component since 1.36)</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n<br>"}], "value": "Fully removed in 1.42 (Optional component since 1.36)"}], "source": {"advisory": "SD1767", "discovery": "INTERNAL"}, "title": "Verve Asset Manager \u2013 Plaintext Storage Vulnerabilities", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T16:09:31.421600Z", "id": "CVE-2025-14377", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:09:48.026Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T16:09:31.421600Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T16:09:44.352Z"}}], "cna": {"title": "Verve Asset Manager \u2013 Plaintext Storage Vulnerabilities", "source": {"advisory": "SD1767", "discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Rockwell Automation", "product": "Verve Asset Manager", "versions": [{"status": "affected", "version": "1.33 1.34 1.35 1.36 1.37 1.38 1.39 1.40 1.41 1.41.1 1.41.2 1.41.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Fully removed in 1.42 (Optional component since 1.36)", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Fully removed in 1.42 (Optional component since 1.36)</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "b73dd486-f505-4403-b634-40b078b177f0", "shortName": "Rockwell", "dateUpdated": "2026-01-20T13:21:54.152Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14377", "state": "PUBLISHED", "dateUpdated": "2026-01-20T16:09:48.026Z", "dateReserved": "2025-12-09T19:02:29.784Z", "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0", "datePublished": "2026-01-20T13:21:40.649Z", "assignerShortName": "Rockwell"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024."}], "id": "CVE-2025-14377", "lastModified": "2026-01-20T14:16:07.510", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "PSIRT@rockwellautomation.com", "type": "Secondary"}]}, "published": "2026-01-20T14:16:07.510", "references": [{"source": "PSIRT@rockwellautomation.com", "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html"}], "sourceIdentifier": "PSIRT@rockwellautomation.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "PSIRT@rockwellautomation.com", "type": "Secondary"}]}