1) Patch Arena immediately

• Fixed builds: Rockwell’s advisory says Arena 16.20.10 or later remediates the latest memory-corruption bugs (CVE-2025-7025 / -7032 / -7033). Anything 16.20.09 or earlier is vulnerable. Rockwell Automationcisa.gov

• Where to get: Follow the vendor advisory links from CISA; update to 16.20.10+. cisa.gov

Quick verify on endpoints (PowerShell):

powershell
CopyEdit
Get-Item "C:\Program Files*\Rockwell*\Arena*\Arena.exe" |
  Select-Object @{n='Computer';e={$env:COMPUTERNAME}},
                @{n='Version';e={$_.VersionInfo.ProductVersion}},
                DirectoryName

If < 16.20.10, schedule upgrade.

2) Enforce Mark-of-the-Web (MotW) so DOE from Internet are treated as high risk

Set these policies so Windows preserves zone info and honors MotW everywhere:

A. Preserve zone information (Attachment Manager)

• Policy: User Config → Administrative Templates → Windows Components → Attachment Manager → Do not preserve zone information in file attachments

• State: Disabled (or Not Configured) = preserve MotW (recommended by Microsoft/STIG). Microsoft SupportSTIG VIEWER

B. Copying from “insecure sources” still gets MotW (Win 11 24H2 baseline)

• Policy: Windows Components\File Explorer → Do not apply the Mark of the Web tag to files copied from insecure sources

• State: Disabled (enforced in Microsoft’s security baseline). TECHCOMMUNITY.MICROSOFT.COM

C. Keep “Inclusion list for low file types” empty (don’t whitelist custom extensions like .DOE) under Attachment Manager. Microsoft Support

(Why this matters: Arena vulns all require a user to open a malicious .DOE. MotW ensures extra prompts/inspection, raising friction on inbound files.)

3) Sandbox / isolate unknown .DOE before Arena opens them

Because DOE files must be opened by Arena to render, use an isolation pattern:

Option 1 — “Quarantine VM” for Arena

• Deploy a dedicated, offline Hyper-V VM with Arena installed.

• No NIC, or use an isolated vSwitch; no shared clipboards/drives.

• Analysts/openers use this VM to inspect any DOE with MotW; revert to snapshot after use.
  (Most reliable for OT.)

Option 2 — Windows Sandbox (if feasible)

• Enable Windows Sandbox (Windows Features) and map a review folder via .wsb file; open DOE only inside Sandbox. (Note: you must install Arena inside the Sandbox session or pre-script it; Sandbox resets each run.) Microsoft Learn+1

Option 3 — “Gatekeeper” file association (prod endpoints)

• Repoint the .DOE association to a wrapper that refuses files with MotW and only passes clean files to Arena.
  Example gate script:

powershell
CopyEdit
param([string]$File)
$motw = Get-Content -Path $File -Stream Zone.Identifier -ErrorAction SilentlyContinue
if($motw){ Write-Warning "Blocked: $File has Mark-of-the-Web."; exit 1 }
Start-Process "C:\Program Files\Rockwell Software\Arena\Arena.exe" -ArgumentList "`"$File`""

• Deploy via Intune/GPO and set ftype/assoc so double-clicking .DOE launches this script, not Arena.

4) Ingress controls (email/web)

• Strip/hold .DOE at secure email gateway / web proxy for non-engineering users.

• Allow .DOE only from approved partner domains to a staging share scanned by AV/EDR.

5) EDR/Detection quick wins

• Alert when Arena.exe spawns unusual child processes (e.g., cmd.exe, powershell.exe) or writes to Startup/Run keys after opening a DOE—classic exploit signs.

• Create a watch for users opening .DOE directly from Downloads/Temp paths (and not from your vetted engineering share).

6) OT hygiene (CISA/Vendor guidance)

• Track Arena versions fleet-wide; prioritize HMI/engineering workstations that interact with supplier models.

• CISA notes these vulns are local/UI-required but enable arbitrary code execution via malicious DOE; patch to 16.20.10+ and follow standard ICS isolation practices. cisa.gov

• Rockwell advisory confirms fixes and affected versions; upgrade even if you haven’t seen suspicious files. Rockwell Automation