Stack-Based Buffer Overflow Vulnerability in Rockwell Automation Devices Using Cisco IOS XE
Rockwell Automation has disclosed a critical stack-based buffer overflow vulnerability affecting several of its products that utilize Cisco IOS XE Software. The vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE, which is integrated into Rockwell Automation's Stratix series switches and various Lifecycle Services offerings. Specifically, the affected Stratix models include the 5700, 5400, 5410, 5200, and 5800, with vulnerable firmware versions identified as v15.2(8)E7 and prior for the 5700, 5400, and 5410, and v17.17.01 and prior for the 5200 and 5800. Additionally, Rockwell Automation's Industrial Data Center (IDC) with Cisco Switching (Generations 1-5), IDC-Managed Support contracts, Network-Managed Support contracts, and Firewall-Managed Support contracts with Cisco hardware are also impacted. The vulnerability can be exploited remotely with low attack complexity, requiring only SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials for a denial-of-service (DoS) attack. For arbitrary code execution as the root user, an attacker would need SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials with administrative or privilege 15 access. Exploitation is possible by sending crafted SNMP packets over IPv4 or IPv6 networks to the affected devices. Successful exploitation could allow an attacker to execute arbitrary code or cause a DoS condition, posing significant risks to industrial control systems and critical infrastructure environments where these devices are deployed. The vulnerability is rated with a CVSS v4 base score of 6.3, indicating a medium to high severity. Rockwell Automation has advised customers to review their SNMP configurations, restrict network access to trusted sources, and apply available patches or mitigations as soon as possible. The vulnerability is considered particularly concerning due to the widespread use of Cisco IOS XE in industrial environments and the potential for attackers to gain elevated privileges. Both advisories emphasize the importance of following best practices for network segmentation and access control to limit exposure. Organizations are urged to monitor for unusual SNMP activity and to ensure that only necessary SNMP services are enabled. The advisories also recommend disabling unused SNMP versions and enforcing strong authentication for SNMPv3. This vulnerability highlights the risks associated with third-party software components in industrial automation products and underscores the need for timely patch management and robust network defenses. The disclosure was coordinated with CISA, which has published advisories to inform and assist asset owners in mitigating the threat. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for attackers with appropriate credentials. The affected products are widely deployed in critical infrastructure sectors, making prompt remediation essential to prevent potential operational disruptions or compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA publishes advisory on Rockwell Automation Stratix
CISA published a separate ICS advisory concerning Rockwell Automation Stratix. The reference provides no further technical synopsis, but the publication marks a distinct disclosed security event involving the product line.
CISA publishes advisory on Rockwell Automation Lifecycle Services vulnerability
CISA published an ICS advisory for a stack-based buffer overflow vulnerability, CVE-2025-20352, affecting Rockwell Automation Industrial Data Center and related managed support contracts using Cisco IOS XE Software. The advisory said the flaw could allow authenticated attackers to cause denial of service or, with higher privileges, execute arbitrary code as root, and noted mitigations were available with no known public exploitation reported.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 in IOS and IOS XE Devices
A critical security vulnerability, CVE-2025-20352, has been identified in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, affecting a wide range of Cisco networking devices. This stack overflow flaw allows remote attackers with valid SNMP credentials to send specially crafted SNMP packets over IPv4 or IPv6, potentially causing denial-of-service (DoS) by forcing device reloads or, in more severe cases, enabling remote code execution as root. The vulnerability impacts all SNMP versions (v1, v2c, v3) and has been confirmed to affect both legacy and modern modular Cisco operating systems, including Meraki MS390 and Catalyst 9300 Series Switches running Meraki CS 17 and earlier. Reports indicate that up to 2 million devices globally, including those operated by ISPs and cloud providers, are potentially exposed to this vulnerability. The flaw was discovered during a Cisco Technical Assistance Center (TAC) support case and has already been exploited in the wild, prompting its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog on September 29th, 2025. The exploitation of this vulnerability represents a significant escalation, as attackers have demonstrated the ability to gain administrator-level credentials and full device compromise. Rockwell Automation has issued an advisory confirming that its Lifecycle Services, specifically the Industrial Data Center (IDC) with Cisco Switching (Generations 1–5), are affected by this vulnerability. Rockwell has provided guidance on corrected software versions and available workarounds to mitigate the risk. The vulnerability poses a substantial threat to the backbone of enterprise, industrial, and service provider networks, given the widespread deployment of affected Cisco devices. Cisco’s response to the incident was initiated only after evidence of active exploitation emerged, underscoring the urgency of patching and mitigation. Organizations are strongly advised to update to the corrected Cisco software versions as soon as possible and to implement any recommended workarounds to reduce exposure. The incident highlights the ongoing risks associated with SNMP-enabled network infrastructure and the importance of credential management and network segmentation. Security teams should prioritize the identification of vulnerable devices and monitor for signs of exploitation. The rapid exploitation and large attack surface associated with CVE-2025-20352 make it a high-priority threat for organizations relying on Cisco networking equipment.
Mar 21, 2026
Denial-of-Service Vulnerabilities in Rockwell Automation 1715 EtherNet/IP Comms Module
Rockwell Automation has disclosed two denial-of-service (DoS) vulnerabilities affecting its 1715 EtherNet/IP Comms Module, specifically versions 3.003 and prior. The vulnerabilities, identified as CVE-2025-9177 and CVE-2025-9178, were detailed in advisories released by both Rockwell Automation and the Cybersecurity and Infrastructure Security Agency (CISA) on October 14, 2025. The first vulnerability involves allocation of resources without limits or throttling (CWE-770), which allows a remote attacker to crash the web server by sending a high volume of requests. Although this crash does not impact I/O control or communication, a power cycle is required to restore web server functionality. The second vulnerability is an out-of-bounds write (CWE-787) that can be triggered through crafted CIP communication payloads, also resulting in a denial-of-service condition. Both vulnerabilities are exploitable remotely with low attack complexity, and no user interaction or privileges are required for exploitation. CISA assigned a CVSS v4 base score of 7.7 to CVE-2025-9177, indicating a high severity risk. Rockwell Automation has confirmed that these vulnerabilities have not been exploited in the wild as of the advisory date. The company has released corrected versions to address the issues, but no workarounds are available for affected systems. CISA has urged users and administrators of the 1715 EtherNet/IP Comms Module to review the advisories and apply mitigations as soon as possible. The vulnerabilities do not affect the core operational functions of the module, but the loss of web server access could hinder remote management and monitoring. Both advisories emphasize the importance of timely patching and following best practices for securing industrial control systems. The vulnerabilities highlight ongoing risks in industrial automation environments, where denial-of-service attacks can disrupt visibility and management even if core processes remain unaffected. Organizations using the affected modules are advised to assess their exposure and implement the recommended updates. The advisories also serve as a reminder of the need for robust network segmentation and monitoring in operational technology environments. Rockwell Automation has provided detailed technical information and remediation guidance in its product advisory. CISA’s alert reinforces the urgency of addressing these vulnerabilities to prevent potential operational disruptions. The coordinated disclosure and response demonstrate the critical role of vendor and government collaboration in protecting industrial control systems.
Mar 21, 2026
Rockwell Automation ICS Products Hit by Authentication, Authorization, DoS, and RCE Flaws
CISA republished multiple Rockwell Automation advisories covering vulnerabilities across **FactoryTalk Analytics PavilionX**, **RSLinx Classic**, **CompactLogix 5370**, **Logix 5370/5570 controllers**, and **FLEX I/O EtherNet/IP Adapters** used in critical manufacturing environments worldwide. The issues include an authorization bypass in PavilionX (`CVE-2025-14272`) that could let an unauthenticated attacker perform privileged administrative actions, and a third-party flaw in RSLinx Classic (`CVE-2020-13573`) tied to out-of-bounds read and stack-based buffer overflow conditions that could cause denial of service or enable remote arbitrary code execution. Additional advisories detail multiple **CIP-related denial-of-service weaknesses** in CompactLogix and Logix controllers, including `CVE-2026-11317`, where crafted CIP messages can trigger major nonrecoverable faults requiring a program download, as well as sequence-number, source-IP, and connection-ID issues that can induce controller faults. CISA also warned that FLEX I/O EtherNet/IP Adapters version `2.012` are affected by `CVE-2026-0646`, which can fault devices through malformed CIP requests, and `CVE-2026-0647`, a critical authentication bypass in the embedded web server that allows password changes through a crafted HTTP GET request, potentially leading to account takeover and loss of availability; CISA said no known public exploitation had been reported and urged operators to isolate control networks, reduce internet exposure, and secure remote access with firewalls and updated VPNs.
Jun 19, 2026