CISA ICS Advisories Flag High-Severity DoS Flaws in Rockwell Automation ArmorStart LT and ControlLogix
CISA published ICS advisories warning that multiple Rockwell Automation products contain remotely triggerable vulnerabilities that can cause denial-of-service (DoS) conditions. In ArmorStart LT (models 290D/291D/294D running <= v2.002), CISA lists multiple CVEs (including CVE-2025-9464/9465/9466 and CVE-2025-9278 through CVE-2025-9283) tied to uncontrolled resource consumption (CWE-400). The issue can be triggered during fuzzing of multiple CIP classes, causing the device’s CIP port to become unresponsive; CISA rates the condition CVSS 7.5 (HIGH).
A separate CISA advisory covers ControlLogix 1756-RM2 and 1756-RM2XT Redundancy Enhanced Modules (firmware all versions) impacted by CVE-2025-14027, described as resource-exhaustion and memory-management problems (CWE-401) that can be triggered via crafted inputs such as malformed Class 3 messages. Exploitation may render devices unresponsive and can lead to a major nonrecoverable fault requiring a restart; CISA also rates this CVSS 7.5 (HIGH) and notes broad deployment across multiple critical infrastructure sectors. A separate report about a Johnson Controls Metasys SQL injection vulnerability (CVE-2025-26385, CVSS 10) is a different vendor/product and is not part of the Rockwell advisories described above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA republishes Rockwell ControlLogix advisory
CISA published ICS advisory ICSA-26-029-03 as an initial republication of Rockwell Automation advisory SD1769 covering CVE-2025-14027 in ControlLogix Redundancy Enhanced Modules. The agency recommended standard ICS mitigations and said it had not received reports of public exploitation.
CISA republishes Rockwell ArmorStart LT advisory
CISA published ICS advisory ICSA-26-029-02 as an initial republication of Rockwell Automation advisory SD1768, warning critical manufacturing operators about the ArmorStart LT vulnerabilities and recommending standard ICS network-hardening measures. CISA said it was not aware of public exploitation at the time of publication.
Rockwell discloses ControlLogix redundancy module DoS flaw
Rockwell Automation advisory SD1769 disclosed CVE-2025-14027, a high-severity denial-of-service vulnerability affecting all firmware versions of the 1756-RM2 and 1756-RM2XT ControlLogix Redundancy Enhanced Modules. Crafted inputs can exhaust resources and render the device unresponsive, potentially causing a major nonrecoverable fault that requires a restart.
Rockwell discloses ArmorStart LT denial-of-service vulnerabilities
Rockwell Automation advisory SD1768 described multiple high-severity denial-of-service flaws in ArmorStart LT 290D, 291D, and 294D devices up to version 2.002. The vulnerabilities can be triggered over the network and may cause CIP port unresponsiveness, device reboots, loss of ICMP connectivity, and temporary Link State Monitor outages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Rockwell Automation ICS Products Hit by Authentication, Authorization, DoS, and RCE Flaws
CISA republished multiple Rockwell Automation advisories covering vulnerabilities across **FactoryTalk Analytics PavilionX**, **RSLinx Classic**, **CompactLogix 5370**, **Logix 5370/5570 controllers**, and **FLEX I/O EtherNet/IP Adapters** used in critical manufacturing environments worldwide. The issues include an authorization bypass in PavilionX (`CVE-2025-14272`) that could let an unauthenticated attacker perform privileged administrative actions, and a third-party flaw in RSLinx Classic (`CVE-2020-13573`) tied to out-of-bounds read and stack-based buffer overflow conditions that could cause denial of service or enable remote arbitrary code execution. Additional advisories detail multiple **CIP-related denial-of-service weaknesses** in CompactLogix and Logix controllers, including `CVE-2026-11317`, where crafted CIP messages can trigger major nonrecoverable faults requiring a program download, as well as sequence-number, source-IP, and connection-ID issues that can induce controller faults. CISA also warned that FLEX I/O EtherNet/IP Adapters version `2.012` are affected by `CVE-2026-0646`, which can fault devices through malformed CIP requests, and `CVE-2026-0647`, a critical authentication bypass in the embedded web server that allows password changes through a crafted HTTP GET request, potentially leading to account takeover and loss of availability; CISA said no known public exploitation had been reported and urged operators to isolate control networks, reduce internet exposure, and secure remote access with firewalls and updated VPNs.
Jun 19, 2026
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
Multiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
Mar 21, 2026