Denial-of-Service Vulnerabilities in Rockwell Automation 1715 EtherNet/IP Comms Module
Rockwell Automation has disclosed two denial-of-service (DoS) vulnerabilities affecting its 1715 EtherNet/IP Comms Module, specifically versions 3.003 and prior. The vulnerabilities, identified as CVE-2025-9177 and CVE-2025-9178, were detailed in advisories released by both Rockwell Automation and the Cybersecurity and Infrastructure Security Agency (CISA) on October 14, 2025. The first vulnerability involves allocation of resources without limits or throttling (CWE-770), which allows a remote attacker to crash the web server by sending a high volume of requests. Although this crash does not impact I/O control or communication, a power cycle is required to restore web server functionality. The second vulnerability is an out-of-bounds write (CWE-787) that can be triggered through crafted CIP communication payloads, also resulting in a denial-of-service condition. Both vulnerabilities are exploitable remotely with low attack complexity, and no user interaction or privileges are required for exploitation. CISA assigned a CVSS v4 base score of 7.7 to CVE-2025-9177, indicating a high severity risk. Rockwell Automation has confirmed that these vulnerabilities have not been exploited in the wild as of the advisory date. The company has released corrected versions to address the issues, but no workarounds are available for affected systems. CISA has urged users and administrators of the 1715 EtherNet/IP Comms Module to review the advisories and apply mitigations as soon as possible. The vulnerabilities do not affect the core operational functions of the module, but the loss of web server access could hinder remote management and monitoring. Both advisories emphasize the importance of timely patching and following best practices for securing industrial control systems. The vulnerabilities highlight ongoing risks in industrial automation environments, where denial-of-service attacks can disrupt visibility and management even if core processes remain unaffected. Organizations using the affected modules are advised to assess their exposure and implement the recommended updates. The advisories also serve as a reminder of the need for robust network segmentation and monitoring in operational technology environments. Rockwell Automation has provided detailed technical information and remediation guidance in its product advisory. CISA’s alert reinforces the urgency of addressing these vulnerabilities to prevent potential operational disruptions. The coordinated disclosure and response demonstrate the critical role of vendor and government collaboration in protecting industrial control systems.
Sources
Related Stories
Denial-of-Service Vulnerability in Rockwell Automation Compact GuardLogix 5370
A high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2025-9124, has been identified in Rockwell Automation's Compact GuardLogix 5370 programmable logic controllers (PLCs). The vulnerability arises when the device receives a specifically crafted CIP (Common Industrial Protocol) unconnected explicit message, which can trigger a major non-recoverable fault in the controller. This fault condition can render the affected PLC inoperable until it is manually reset or serviced, potentially disrupting industrial automation processes that rely on these controllers for safety and operational continuity. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the fault. Rockwell Automation has acknowledged the issue and published a security advisory (SD1755) to inform customers and provide guidance. The advisory confirms that the vulnerability has been corrected in updated product versions, though no workaround is available for unpatched systems. There is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV) by Rockwell Automation. The company emphasizes the importance of applying the corrective updates to mitigate the risk. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk due to the potential for significant operational impact. The affected product line, Compact GuardLogix 5370, is widely used in industrial environments for safety-critical automation tasks. Details about the specific affected versions have not been disclosed in the public advisories, but customers are urged to consult Rockwell Automation's official channels for the most current information. The vulnerability was disclosed and remediated on October 14, 2025, with both the CVE and the vendor advisory published on the same day. Rockwell Automation's Product Security Incident Response Team (PSIRT) is credited as the source of the vulnerability report. Customers are advised to review their deployment of Compact GuardLogix 5370 controllers and apply the recommended updates as soon as possible to prevent potential service interruptions. The absence of a workaround underscores the urgency of patching, as operational continuity could be at risk if the vulnerability is exploited. Organizations should also review their network segmentation and access controls to limit exposure of industrial control systems to untrusted networks.
5 months agoDenial-of-Service Vulnerability in Rockwell Automation ArmorStart AOP
A high-severity security vulnerability, identified as CVE-2025-9437, was discovered in the Studio 5000 Logix Designer add-on profile (AOP) for the Rockwell Automation ArmorStart Classic distributed motor controller. The flaw allows an attacker to cause a denial-of-service (DoS) condition by inputting invalid values into Component Object Model (COM) methods within the affected software. This vulnerability was found internally by Rockwell Automation during routine security testing, demonstrating the company's proactive approach to product security. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the DoS condition. According to the available information, there is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV). Rockwell Automation has issued a security advisory (SD1751) to inform customers of the issue and has provided both a correction and a workaround to mitigate the risk. The company emphasizes its commitment to transparency by publicly disclosing the vulnerability and offering guidance to affected users. The CVSS 4.0 base score for this vulnerability is 8.7, categorizing it as high severity and indicating a significant potential impact on industrial automation environments. Although the specific affected product versions are not detailed in the public advisories, the vulnerability is confirmed to impact the ArmorStart Classic AOP component. Customers are advised to review the official Rockwell Automation advisory for detailed mitigation steps and to apply the recommended updates or workarounds as soon as possible. The vulnerability could disrupt industrial operations by rendering the affected motor controller profile unresponsive, potentially impacting production processes. Rockwell Automation's Product Security Incident Response Team (PSIRT) is the source of the vulnerability disclosure, ensuring that the information is accurate and actionable. The advisory was published and last updated on October 14, 2025, reflecting the most current information available at the time. Organizations using the affected products should assess their exposure and implement the provided security measures to reduce the risk of exploitation. The disclosure underscores the importance of regular security testing and prompt patch management in industrial control system environments. By addressing the vulnerability before it could be exploited, Rockwell Automation demonstrates best practices in vulnerability management and customer communication.
5 months ago
CISA ICS Advisories Flag High-Severity DoS Flaws in Rockwell Automation ArmorStart LT and ControlLogix
CISA published ICS advisories warning that multiple **Rockwell Automation** products contain remotely triggerable vulnerabilities that can cause **denial-of-service (DoS)** conditions. In *ArmorStart LT* (models **290D/291D/294D** running **<= v2.002**), CISA lists multiple CVEs (including **CVE-2025-9464/9465/9466** and **CVE-2025-9278** through **CVE-2025-9283**) tied to **uncontrolled resource consumption** (CWE-400). The issue can be triggered during fuzzing of multiple **CIP** classes, causing the device’s CIP port to become unresponsive; CISA rates the condition **CVSS 7.5 (HIGH)**. A separate CISA advisory covers *ControlLogix* **1756-RM2** and **1756-RM2XT** Redundancy Enhanced Modules (firmware **all versions**) impacted by **CVE-2025-14027**, described as resource-exhaustion and memory-management problems (CWE-401) that can be triggered via crafted inputs such as malformed **Class 3** messages. Exploitation may render devices unresponsive and can lead to a major nonrecoverable fault requiring a restart; CISA also rates this **CVSS 7.5 (HIGH)** and notes broad deployment across multiple critical infrastructure sectors. A separate report about a **Johnson Controls Metasys** **SQL injection** vulnerability (**CVE-2025-26385**, **CVSS 10**) is a different vendor/product and is not part of the Rockwell advisories described above.
1 months ago