Denial-of-Service Vulnerabilities in Rockwell Automation 1715 EtherNet/IP Comms Module
Rockwell Automation has disclosed two denial-of-service (DoS) vulnerabilities affecting its 1715 EtherNet/IP Comms Module, specifically versions 3.003 and prior. The vulnerabilities, identified as CVE-2025-9177 and CVE-2025-9178, were detailed in advisories released by both Rockwell Automation and the Cybersecurity and Infrastructure Security Agency (CISA) on October 14, 2025. The first vulnerability involves allocation of resources without limits or throttling (CWE-770), which allows a remote attacker to crash the web server by sending a high volume of requests. Although this crash does not impact I/O control or communication, a power cycle is required to restore web server functionality. The second vulnerability is an out-of-bounds write (CWE-787) that can be triggered through crafted CIP communication payloads, also resulting in a denial-of-service condition. Both vulnerabilities are exploitable remotely with low attack complexity, and no user interaction or privileges are required for exploitation. CISA assigned a CVSS v4 base score of 7.7 to CVE-2025-9177, indicating a high severity risk. Rockwell Automation has confirmed that these vulnerabilities have not been exploited in the wild as of the advisory date. The company has released corrected versions to address the issues, but no workarounds are available for affected systems. CISA has urged users and administrators of the 1715 EtherNet/IP Comms Module to review the advisories and apply mitigations as soon as possible. The vulnerabilities do not affect the core operational functions of the module, but the loss of web server access could hinder remote management and monitoring. Both advisories emphasize the importance of timely patching and following best practices for securing industrial control systems. The vulnerabilities highlight ongoing risks in industrial automation environments, where denial-of-service attacks can disrupt visibility and management even if core processes remain unaffected. Organizations using the affected modules are advised to assess their exposure and implement the recommended updates. The advisories also serve as a reminder of the need for robust network segmentation and monitoring in operational technology environments. Rockwell Automation has provided detailed technical information and remediation guidance in its product advisory. CISA’s alert reinforces the urgency of addressing these vulnerabilities to prevent potential operational disruptions. The coordinated disclosure and response demonstrate the critical role of vendor and government collaboration in protecting industrial control systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA publishes ICS advisory for Rockwell Automation 1715 EtherNet/IP module
CISA released ICS advisory ICSA-25-287-01 covering vulnerabilities in the Rockwell Automation 1715 EtherNet/IP Comms Module. The agency also announced the release through its industrial control systems advisory notice.
Rockwell Automation discloses DoS vulnerabilities in 1715 EtherNet/IP module
Rockwell Automation published security advisory SD1757 for denial-of-service vulnerabilities affecting the 1715 EtherNet/IP Comms Module. The advisory publicly disclosed the issue and provided vendor security guidance.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Rockwell Automation 1715 EtherNet/IP Comms Module
cisa.gov
Open sourceCISA Releases One Industrial Control Systems Advisory
cisa.gov
Open source1715 EtherNet/IP Comms Module Denial-Of-Service Vulnerabilities
rockwellautomation.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Denial-of-Service Vulnerability in Rockwell Automation Compact GuardLogix 5370
A high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2025-9124, has been identified in Rockwell Automation's Compact GuardLogix 5370 programmable logic controllers (PLCs). The vulnerability arises when the device receives a specifically crafted CIP (Common Industrial Protocol) unconnected explicit message, which can trigger a major non-recoverable fault in the controller. This fault condition can render the affected PLC inoperable until it is manually reset or serviced, potentially disrupting industrial automation processes that rely on these controllers for safety and operational continuity. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the fault. Rockwell Automation has acknowledged the issue and published a security advisory (SD1755) to inform customers and provide guidance. The advisory confirms that the vulnerability has been corrected in updated product versions, though no workaround is available for unpatched systems. There is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV) by Rockwell Automation. The company emphasizes the importance of applying the corrective updates to mitigate the risk. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk due to the potential for significant operational impact. The affected product line, Compact GuardLogix 5370, is widely used in industrial environments for safety-critical automation tasks. Details about the specific affected versions have not been disclosed in the public advisories, but customers are urged to consult Rockwell Automation's official channels for the most current information. The vulnerability was disclosed and remediated on October 14, 2025, with both the CVE and the vendor advisory published on the same day. Rockwell Automation's Product Security Incident Response Team (PSIRT) is credited as the source of the vulnerability report. Customers are advised to review their deployment of Compact GuardLogix 5370 controllers and apply the recommended updates as soon as possible to prevent potential service interruptions. The absence of a workaround underscores the urgency of patching, as operational continuity could be at risk if the vulnerability is exploited. Organizations should also review their network segmentation and access controls to limit exposure of industrial control systems to untrusted networks.
Mar 21, 2026
Denial-of-Service Vulnerability in Rockwell Automation ArmorStart AOP
A high-severity security vulnerability, identified as CVE-2025-9437, was discovered in the Studio 5000 Logix Designer add-on profile (AOP) for the Rockwell Automation ArmorStart Classic distributed motor controller. The flaw allows an attacker to cause a denial-of-service (DoS) condition by inputting invalid values into Component Object Model (COM) methods within the affected software. This vulnerability was found internally by Rockwell Automation during routine security testing, demonstrating the company's proactive approach to product security. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the DoS condition. According to the available information, there is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV). Rockwell Automation has issued a security advisory (SD1751) to inform customers of the issue and has provided both a correction and a workaround to mitigate the risk. The company emphasizes its commitment to transparency by publicly disclosing the vulnerability and offering guidance to affected users. The CVSS 4.0 base score for this vulnerability is 8.7, categorizing it as high severity and indicating a significant potential impact on industrial automation environments. Although the specific affected product versions are not detailed in the public advisories, the vulnerability is confirmed to impact the ArmorStart Classic AOP component. Customers are advised to review the official Rockwell Automation advisory for detailed mitigation steps and to apply the recommended updates or workarounds as soon as possible. The vulnerability could disrupt industrial operations by rendering the affected motor controller profile unresponsive, potentially impacting production processes. Rockwell Automation's Product Security Incident Response Team (PSIRT) is the source of the vulnerability disclosure, ensuring that the information is accurate and actionable. The advisory was published and last updated on October 14, 2025, reflecting the most current information available at the time. Organizations using the affected products should assess their exposure and implement the provided security measures to reduce the risk of exploitation. The disclosure underscores the importance of regular security testing and prompt patch management in industrial control system environments. By addressing the vulnerability before it could be exploited, Rockwell Automation demonstrates best practices in vulnerability management and customer communication.
Mar 21, 2026
Rockwell Automation ICS Products Hit by Authentication, Authorization, DoS, and RCE Flaws
CISA republished multiple Rockwell Automation advisories covering vulnerabilities across **FactoryTalk Analytics PavilionX**, **RSLinx Classic**, **CompactLogix 5370**, **Logix 5370/5570 controllers**, and **FLEX I/O EtherNet/IP Adapters** used in critical manufacturing environments worldwide. The issues include an authorization bypass in PavilionX (`CVE-2025-14272`) that could let an unauthenticated attacker perform privileged administrative actions, and a third-party flaw in RSLinx Classic (`CVE-2020-13573`) tied to out-of-bounds read and stack-based buffer overflow conditions that could cause denial of service or enable remote arbitrary code execution. Additional advisories detail multiple **CIP-related denial-of-service weaknesses** in CompactLogix and Logix controllers, including `CVE-2026-11317`, where crafted CIP messages can trigger major nonrecoverable faults requiring a program download, as well as sequence-number, source-IP, and connection-ID issues that can induce controller faults. CISA also warned that FLEX I/O EtherNet/IP Adapters version `2.012` are affected by `CVE-2026-0646`, which can fault devices through malformed CIP requests, and `CVE-2026-0647`, a critical authentication bypass in the embedded web server that allows password changes through a crafted HTTP GET request, potentially leading to account takeover and loss of availability; CISA said no known public exploitation had been reported and urged operators to isolate control networks, reduce internet exposure, and secure remote access with firewalls and updated VPNs.
Jun 19, 2026