CVE-2025-60036

A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the UA.Testclient.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:bosch:rexroth_indraworks::::::::
	cpe:2.3:a:bosch:rexroth_ua.testclient::::::::

History

24 Feb 2026, 16:02

Type	Values Removed	Values Added
First Time		Bosch rexroth Indraworks Bosch rexroth Ua.testclient Bosch
References	~~() https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html -~~	() https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html - Vendor Advisory
CPE		cpe:2.3:a:bosch:rexroth_indraworks:::::::: cpe:2.3:a:bosch:rexroth_ua.testclient::::::::

18 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-18 14:16

Updated : 2026-02-24 16:02

NVD link : CVE-2025-60036

Mitre link : CVE-2025-60036

CVE.ORG link : CVE-2025-60036

JSON object : View

Products Affected

bosch

rexroth_indraworks
rexroth_ua.testclient

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-60036", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@bosch.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-18T14:16:04.663", "references": [{"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-591522.html", "tags": ["Vendor Advisory"], "source": "psirt@bosch.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@bosch.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in the UA.Testclient utility, which is included in Rexroth IndraWorks. All versions prior to 15V24 are affected. This flaw allows an attacker to execute arbitrary code on the user's system by parsing a manipulated file containing malicious serialized data. Exploitation requires user interaction, specifically opening a specially crafted file, which then causes the application to deserialize the malicious data, enabling Remote Code Execution (RCE). This can lead to a complete compromise of the system running the UA.Testclient."}], "lastModified": "2026-02-24T16:02:09.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bosch:rexroth_indraworks:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B23F6D2-E822-4E76-808D-B110D6EA4E04", "versionEndExcluding": "15v24"}, {"criteria": "cpe:2.3:a:bosch:rexroth_ua.testclient:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15925640-7573-4498-8D03-02C3289B8CF1", "versionEndExcluding": "2.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@bosch.com"}