• Advisory Details Bosch Rexroth IndraWorks Print Settings File Parsing Deserialization Of Untrusted Data Remote Code Execution Vulnerability ZDI-26-110ZDI-CAN-28112 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bosch Rexroth IndraWorks. • User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. • The specific flaw exists within the parsing of Print Settings files. • The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • An attacker can leverage this vulnerability to execute code in the context of the current user. • 2025-10-09 - Vulnerability reported to vendor 2026-02-19 - Coordinated public release of advisory 2026-02-19 - Advisory Updated General Inquiries Find us on X Find us on Mastodon Media Inquiries Sensitive Email Communications Our Mission TrendAI TippingPoint IPS Process Researcher Rewards FAQS Privacy Published Advisories Upcoming Advisories RSS Feeds

Advisory Details Bosch Rexroth IndraWorks OPC.TestClient XML File Parsing Deserialization Of Untrusted Data Remote Code Execution Vulnerability ZDI-26-109ZDI-CAN-27994 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bosch Rexroth IndraWorks.

Article Summaries:

  • Bosch Rexroth has disclosed two high‑severity vulnerabilities (CVE‑2025‑60037 and CVE‑2025‑60038) affecting its IndraWorks product. The flaws arise from inadequate validation of user‑supplied Print Settings files, allowing attackers to trigger deserialization of untrusted data. Remote code execution is possible when a user opens a malicious file or visits a malicious page, enabling the attacker to run code with the current user’s privileges. The CVSS score is 7.8, with impacts on confidentiality, integrity, and availability. Bosch Rexroth has released a patch and provided details on its security advisory page.
  • Bosch Rexroth has disclosed a remote‑code‑execution vulnerability (CVE‑2025‑60035) affecting its IndraWorks OPC.TestClient component. The flaw lies in the XML file parsing routine, which fails to validate user‑supplied data, allowing an attacker to trigger deserialization of untrusted content. Exploitation requires user interaction, such as visiting a malicious webpage or opening a crafted file, and would run arbitrary code with the current user’s privileges. The vendor has released a patch to address the issue and urges affected installations to update promptly. The CVSS score is 7.8 (High).
  • Bosch Rexroth has disclosed a remote‑code‑execution flaw (CVE‑2025‑60036) affecting its IndraWorks software. The vulnerability lies in the UA.TestClient component’s XML file parser, which fails to validate untrusted data, allowing an attacker to trigger deserialization and run arbitrary code when a user opens a malicious file or visits a malicious page. The CVSS score is 7.8 (Low‑to‑Medium access complexity, high impact). A patch has been released; users are urged to update via the company’s security advisory page. The issue was reported by security researcher “kimiya.”

Sources: