Stack-Based Buffer Overflow Vulnerability in Rockwell Automation Devices Using Cisco IOS XE
Rockwell Automation has disclosed a critical stack-based buffer overflow vulnerability affecting several of its products that utilize Cisco IOS XE Software. The vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE, which is integrated into Rockwell Automation's Stratix series switches and various Lifecycle Services offerings. Specifically, the affected Stratix models include the 5700, 5400, 5410, 5200, and 5800, with vulnerable firmware versions identified as v15.2(8)E7 and prior for the 5700, 5400, and 5410, and v17.17.01 and prior for the 5200 and 5800. Additionally, Rockwell Automation's Industrial Data Center (IDC) with Cisco Switching (Generations 1-5), IDC-Managed Support contracts, Network-Managed Support contracts, and Firewall-Managed Support contracts with Cisco hardware are also impacted. The vulnerability can be exploited remotely with low attack complexity, requiring only SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials for a denial-of-service (DoS) attack. For arbitrary code execution as the root user, an attacker would need SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials with administrative or privilege 15 access. Exploitation is possible by sending crafted SNMP packets over IPv4 or IPv6 networks to the affected devices. Successful exploitation could allow an attacker to execute arbitrary code or cause a DoS condition, posing significant risks to industrial control systems and critical infrastructure environments where these devices are deployed. The vulnerability is rated with a CVSS v4 base score of 6.3, indicating a medium to high severity. Rockwell Automation has advised customers to review their SNMP configurations, restrict network access to trusted sources, and apply available patches or mitigations as soon as possible. The vulnerability is considered particularly concerning due to the widespread use of Cisco IOS XE in industrial environments and the potential for attackers to gain elevated privileges. Both advisories emphasize the importance of following best practices for network segmentation and access control to limit exposure. Organizations are urged to monitor for unusual SNMP activity and to ensure that only necessary SNMP services are enabled. The advisories also recommend disabling unused SNMP versions and enforcing strong authentication for SNMPv3. This vulnerability highlights the risks associated with third-party software components in industrial automation products and underscores the need for timely patch management and robust network defenses. The disclosure was coordinated with CISA, which has published advisories to inform and assist asset owners in mitigating the threat. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for attackers with appropriate credentials. The affected products are widely deployed in critical infrastructure sectors, making prompt remediation essential to prevent potential operational disruptions or compromise.
Sources
Related Stories
Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
5 months agoDenial-of-Service Vulnerabilities in Rockwell Automation 1715 EtherNet/IP Comms Module
Rockwell Automation has disclosed two denial-of-service (DoS) vulnerabilities affecting its 1715 EtherNet/IP Comms Module, specifically versions 3.003 and prior. The vulnerabilities, identified as CVE-2025-9177 and CVE-2025-9178, were detailed in advisories released by both Rockwell Automation and the Cybersecurity and Infrastructure Security Agency (CISA) on October 14, 2025. The first vulnerability involves allocation of resources without limits or throttling (CWE-770), which allows a remote attacker to crash the web server by sending a high volume of requests. Although this crash does not impact I/O control or communication, a power cycle is required to restore web server functionality. The second vulnerability is an out-of-bounds write (CWE-787) that can be triggered through crafted CIP communication payloads, also resulting in a denial-of-service condition. Both vulnerabilities are exploitable remotely with low attack complexity, and no user interaction or privileges are required for exploitation. CISA assigned a CVSS v4 base score of 7.7 to CVE-2025-9177, indicating a high severity risk. Rockwell Automation has confirmed that these vulnerabilities have not been exploited in the wild as of the advisory date. The company has released corrected versions to address the issues, but no workarounds are available for affected systems. CISA has urged users and administrators of the 1715 EtherNet/IP Comms Module to review the advisories and apply mitigations as soon as possible. The vulnerabilities do not affect the core operational functions of the module, but the loss of web server access could hinder remote management and monitoring. Both advisories emphasize the importance of timely patching and following best practices for securing industrial control systems. The vulnerabilities highlight ongoing risks in industrial automation environments, where denial-of-service attacks can disrupt visibility and management even if core processes remain unaffected. Organizations using the affected modules are advised to assess their exposure and implement the recommended updates. The advisories also serve as a reminder of the need for robust network segmentation and monitoring in operational technology environments. Rockwell Automation has provided detailed technical information and remediation guidance in its product advisory. CISA’s alert reinforces the urgency of addressing these vulnerabilities to prevent potential operational disruptions. The coordinated disclosure and response demonstrate the critical role of vendor and government collaboration in protecting industrial control systems.
5 months agoDenial-of-Service Vulnerability in Rockwell Automation Compact GuardLogix 5370
A high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2025-9124, has been identified in Rockwell Automation's Compact GuardLogix 5370 programmable logic controllers (PLCs). The vulnerability arises when the device receives a specifically crafted CIP (Common Industrial Protocol) unconnected explicit message, which can trigger a major non-recoverable fault in the controller. This fault condition can render the affected PLC inoperable until it is manually reset or serviced, potentially disrupting industrial automation processes that rely on these controllers for safety and operational continuity. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the fault. Rockwell Automation has acknowledged the issue and published a security advisory (SD1755) to inform customers and provide guidance. The advisory confirms that the vulnerability has been corrected in updated product versions, though no workaround is available for unpatched systems. There is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV) by Rockwell Automation. The company emphasizes the importance of applying the corrective updates to mitigate the risk. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk due to the potential for significant operational impact. The affected product line, Compact GuardLogix 5370, is widely used in industrial environments for safety-critical automation tasks. Details about the specific affected versions have not been disclosed in the public advisories, but customers are urged to consult Rockwell Automation's official channels for the most current information. The vulnerability was disclosed and remediated on October 14, 2025, with both the CVE and the vendor advisory published on the same day. Rockwell Automation's Product Security Incident Response Team (PSIRT) is credited as the source of the vulnerability report. Customers are advised to review their deployment of Compact GuardLogix 5370 controllers and apply the recommended updates as soon as possible to prevent potential service interruptions. The absence of a workaround underscores the urgency of patching, as operational continuity could be at risk if the vulnerability is exploited. Organizations should also review their network segmentation and access controls to limit exposure of industrial control systems to untrusted networks.
5 months ago