Denial-of-Service Vulnerability in Rockwell Automation ArmorStart AOP
A high-severity security vulnerability, identified as CVE-2025-9437, was discovered in the Studio 5000 Logix Designer add-on profile (AOP) for the Rockwell Automation ArmorStart Classic distributed motor controller. The flaw allows an attacker to cause a denial-of-service (DoS) condition by inputting invalid values into Component Object Model (COM) methods within the affected software. This vulnerability was found internally by Rockwell Automation during routine security testing, demonstrating the company's proactive approach to product security. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the DoS condition. According to the available information, there is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV). Rockwell Automation has issued a security advisory (SD1751) to inform customers of the issue and has provided both a correction and a workaround to mitigate the risk. The company emphasizes its commitment to transparency by publicly disclosing the vulnerability and offering guidance to affected users. The CVSS 4.0 base score for this vulnerability is 8.7, categorizing it as high severity and indicating a significant potential impact on industrial automation environments. Although the specific affected product versions are not detailed in the public advisories, the vulnerability is confirmed to impact the ArmorStart Classic AOP component. Customers are advised to review the official Rockwell Automation advisory for detailed mitigation steps and to apply the recommended updates or workarounds as soon as possible. The vulnerability could disrupt industrial operations by rendering the affected motor controller profile unresponsive, potentially impacting production processes. Rockwell Automation's Product Security Incident Response Team (PSIRT) is the source of the vulnerability disclosure, ensuring that the information is accurate and actionable. The advisory was published and last updated on October 14, 2025, reflecting the most current information available at the time. Organizations using the affected products should assess their exposure and implement the provided security measures to reduce the risk of exploitation. The disclosure underscores the importance of regular security testing and prompt patch management in industrial control system environments. By addressing the vulnerability before it could be exploited, Rockwell Automation demonstrates best practices in vulnerability management and customer communication.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA publishes ICS advisory for Rockwell Automation ArmorStart AOP
CISA released ICS advisory ICSA-25-289-04 covering the Rockwell Automation ArmorStart AOP vulnerability. This expanded public awareness of the denial-of-service issue through a U.S. government industrial control systems alert.
Rockwell Automation discloses ArmorStart AOP DoS vulnerability
Rockwell Automation published a security advisory for a denial-of-service vulnerability affecting ArmorStart AOP. The advisory marks the vendor's public disclosure of the issue tracked as CVE-2025-9437.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Rockwell Automation ArmorStart AOP
cisa.gov
Open sourceCVE-2025-9437 - Rockwell Automation ArmorStart® AOP Denial-of-Service Vulnerability
cvefeed.io
Open sourceArmorStart® AOP Denial-of-Service Vulnerability
rockwellautomation.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Denial-of-Service Vulnerability in Rockwell Automation Compact GuardLogix 5370
A high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2025-9124, has been identified in Rockwell Automation's Compact GuardLogix 5370 programmable logic controllers (PLCs). The vulnerability arises when the device receives a specifically crafted CIP (Common Industrial Protocol) unconnected explicit message, which can trigger a major non-recoverable fault in the controller. This fault condition can render the affected PLC inoperable until it is manually reset or serviced, potentially disrupting industrial automation processes that rely on these controllers for safety and operational continuity. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the fault. Rockwell Automation has acknowledged the issue and published a security advisory (SD1755) to inform customers and provide guidance. The advisory confirms that the vulnerability has been corrected in updated product versions, though no workaround is available for unpatched systems. There is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV) by Rockwell Automation. The company emphasizes the importance of applying the corrective updates to mitigate the risk. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk due to the potential for significant operational impact. The affected product line, Compact GuardLogix 5370, is widely used in industrial environments for safety-critical automation tasks. Details about the specific affected versions have not been disclosed in the public advisories, but customers are urged to consult Rockwell Automation's official channels for the most current information. The vulnerability was disclosed and remediated on October 14, 2025, with both the CVE and the vendor advisory published on the same day. Rockwell Automation's Product Security Incident Response Team (PSIRT) is credited as the source of the vulnerability report. Customers are advised to review their deployment of Compact GuardLogix 5370 controllers and apply the recommended updates as soon as possible to prevent potential service interruptions. The absence of a workaround underscores the urgency of patching, as operational continuity could be at risk if the vulnerability is exploited. Organizations should also review their network segmentation and access controls to limit exposure of industrial control systems to untrusted networks.
Mar 21, 2026
Denial-of-Service Vulnerabilities in Rockwell Automation 1715 EtherNet/IP Comms Module
Rockwell Automation has disclosed two denial-of-service (DoS) vulnerabilities affecting its 1715 EtherNet/IP Comms Module, specifically versions 3.003 and prior. The vulnerabilities, identified as CVE-2025-9177 and CVE-2025-9178, were detailed in advisories released by both Rockwell Automation and the Cybersecurity and Infrastructure Security Agency (CISA) on October 14, 2025. The first vulnerability involves allocation of resources without limits or throttling (CWE-770), which allows a remote attacker to crash the web server by sending a high volume of requests. Although this crash does not impact I/O control or communication, a power cycle is required to restore web server functionality. The second vulnerability is an out-of-bounds write (CWE-787) that can be triggered through crafted CIP communication payloads, also resulting in a denial-of-service condition. Both vulnerabilities are exploitable remotely with low attack complexity, and no user interaction or privileges are required for exploitation. CISA assigned a CVSS v4 base score of 7.7 to CVE-2025-9177, indicating a high severity risk. Rockwell Automation has confirmed that these vulnerabilities have not been exploited in the wild as of the advisory date. The company has released corrected versions to address the issues, but no workarounds are available for affected systems. CISA has urged users and administrators of the 1715 EtherNet/IP Comms Module to review the advisories and apply mitigations as soon as possible. The vulnerabilities do not affect the core operational functions of the module, but the loss of web server access could hinder remote management and monitoring. Both advisories emphasize the importance of timely patching and following best practices for securing industrial control systems. The vulnerabilities highlight ongoing risks in industrial automation environments, where denial-of-service attacks can disrupt visibility and management even if core processes remain unaffected. Organizations using the affected modules are advised to assess their exposure and implement the recommended updates. The advisories also serve as a reminder of the need for robust network segmentation and monitoring in operational technology environments. Rockwell Automation has provided detailed technical information and remediation guidance in its product advisory. CISA’s alert reinforces the urgency of addressing these vulnerabilities to prevent potential operational disruptions. The coordinated disclosure and response demonstrate the critical role of vendor and government collaboration in protecting industrial control systems.
Mar 21, 2026
Multiple High-Severity Vulnerabilities in Rockwell Automation FactoryTalk Products
Rockwell Automation has disclosed several high-severity vulnerabilities affecting its FactoryTalk product line, including FactoryTalk View Machine Edition, PanelView Plus 7, and FactoryTalk ViewPoint. One of the vulnerabilities, tracked as CVE-2025-9064, is a path traversal issue in FactoryTalk View Machine Edition that allows unauthenticated attackers on the same network to delete arbitrary files from the device’s operating system, provided they know the filenames. This vulnerability is remotely exploitable and could lead to significant disruption or loss of critical files on affected devices. The company’s advisory SD1753 confirms that both FactoryTalk View Machine Edition and PanelView Plus 7 are impacted by this flaw, and that mitigations and workarounds are available. Another critical vulnerability, CVE-2025-9066, affects FactoryTalk ViewPoint and enables unauthenticated attackers to exploit XML External Entity (XXE) processing via certain SOAP requests. Successful exploitation of this flaw can result in a temporary denial-of-service condition, potentially disrupting industrial operations. Rockwell Automation’s advisory SD1752 details the XXE vulnerability, noting that it was discovered internally during routine security testing and that no known exploitation in the wild has been reported. Both vulnerabilities have been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk to industrial environments where these products are deployed. The advisories state that patches and workarounds are available, and customers are urged to apply them promptly to mitigate risk. The company emphasizes that the vulnerabilities are not currently known to be exploited in the wild, but the potential impact on industrial control systems is significant due to the products’ widespread use. The advisories also highlight Rockwell Automation’s commitment to transparency and proactive security practices, as these issues were identified through internal testing rather than external reports. Customers are encouraged to review the official advisories and implement recommended mitigations, including network segmentation and limiting access to trusted users. The affected products are commonly used in industrial automation environments, making timely remediation critical to prevent potential operational disruptions. The advisories provide detailed technical information and guidance for system administrators to assess and address the vulnerabilities. Rockwell Automation has made available downloadable advisories in Vulnerability Exploitability Exchange format for integration with vulnerability management tools. The company’s response includes both immediate patches and suggested workarounds for environments where patching may not be immediately feasible. Organizations using FactoryTalk View Machine Edition, PanelView Plus 7, or FactoryTalk ViewPoint should prioritize reviewing their exposure and applying the recommended security measures.
Mar 21, 2026