Rockwell Automation ICS Products Hit by Authentication, Authorization, DoS, and RCE Flaws
CISA republished multiple Rockwell Automation advisories covering vulnerabilities across FactoryTalk Analytics PavilionX, RSLinx Classic, CompactLogix 5370, Logix 5370/5570 controllers, and FLEX I/O EtherNet/IP Adapters used in critical manufacturing environments worldwide. The issues include an authorization bypass in PavilionX (CVE-2025-14272) that could let an unauthenticated attacker perform privileged administrative actions, and a third-party flaw in RSLinx Classic (CVE-2020-13573) tied to out-of-bounds read and stack-based buffer overflow conditions that could cause denial of service or enable remote arbitrary code execution.
Additional advisories detail multiple CIP-related denial-of-service weaknesses in CompactLogix and Logix controllers, including CVE-2026-11317, where crafted CIP messages can trigger major nonrecoverable faults requiring a program download, as well as sequence-number, source-IP, and connection-ID issues that can induce controller faults. CISA also warned that FLEX I/O EtherNet/IP Adapters version 2.012 are affected by CVE-2026-0646, which can fault devices through malformed CIP requests, and CVE-2026-0647, a critical authentication bypass in the embedded web server that allows password changes through a crafted HTTP GET request, potentially leading to account takeover and loss of availability; CISA said no known public exploitation had been reported and urged operators to isolate control networks, reduce internet exposure, and secure remote access with firewalls and updated VPNs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Rockwell patches FactoryTalk Historian vulnerabilities
Rockwell Automation released patches for vulnerabilities affecting FactoryTalk Historian. SecurityWeek reported that CISA distributed Rockwell advisories for other products on June 16, 2026, but did not publish an advisory for the FactoryTalk Historian issues.
Rockwell Automation publishes security advisory SD1777
Rockwell Automation published security advisory SD1777 on 2026-06-16. The provided reference includes the advisory identifier and publication date but no synopsis details.
Rockwell Automation publishes security advisory SD1776
Rockwell Automation published security advisory SD1776 on 2026-06-16. The provided reference includes the advisory identifier and publication date but no synopsis details.
Rockwell Automation publishes security advisory SD1775
Rockwell Automation published security advisory SD1775 on 2026-06-16. The provided reference includes the advisory identifier and publication date but no synopsis details.
Rockwell Automation publishes security advisory SD1774
Rockwell Automation published security advisory SD1774 on 2026-06-16. The provided reference includes the advisory identifier and publication date but no synopsis details.
Rockwell Automation publishes security advisory SD1773
Rockwell Automation published security advisory SD1773 on 2026-06-16. The provided reference includes the advisory identifier and publication date but no synopsis details.
Rockwell Automation publishes security advisory SD1772
Rockwell Automation published security advisory SD1772 on 2026-06-16. The provided reference includes the advisory identifier and publication date but no synopsis details.
CISA republishes advisory for FLEX I/O EtherNet/IP Adapter flaws
On 2026-06-16, CISA republished a Rockwell Automation advisory covering CVE-2026-0646 and CVE-2026-0647 in FLEX I/O EtherNet/IP Adapters 1794-AENTR and 1794-AENTRXT version 2.012. The vulnerabilities include a denial-of-service condition and a critical authentication bypass in the embedded web server that can let an unauthenticated attacker change the web interface password.
CISA republishes advisory for CompactLogix CIP denial-of-service issues
On 2026-06-16, CISA republished a Rockwell Automation advisory describing two vulnerabilities in CompactLogix 5370 L1, L2, and L3 controllers earlier than V38.011. The issues involve improper validation in the CIP protocol and exposure of CIP Connection IDs through the web interface, enabling denial-of-service conditions that cause a minor fault.
CISA republishes advisory for Logix 5370 and 5570 controller DoS bug
On 2026-06-16, CISA republished a Rockwell Automation advisory for CVE-2026-11317 affecting multiple Logix 5370 and 5570 controller families. The flaw can be triggered with a crafted CIP message to cause a major nonrecoverable fault, and CISA said no known public exploitation had been reported at the time of publication.
CISA republishes advisory for RSLinx Classic vulnerability
On 2026-06-16, CISA republished a Rockwell Automation advisory for RSLinx Classic 4.50.00 and earlier covering CVE-2020-13573. The advisory said exploitation could cause denial of service and also described a stack-based buffer overflow that could allow remote arbitrary code execution; no known public exploitation was reported to CISA at publication time.
CISA republishes advisory for FactoryTalk Analytics PavilionX flaw
On 2026-06-16, CISA republished a Rockwell Automation advisory describing CVE-2025-14272, a missing-authorization flaw in FactoryTalk Analytics PavilionX versions earlier than 7.01 that could let an unauthenticated attacker perform privileged administrative actions. CISA said no known public exploitation specifically targeting the issue had been reported at the time of publication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Rockwell Automation Vulnerabilities: FactoryTalk, FLEX I/O
securityonline.info
Open sourceRockwell Automation Patches Vulnerabilities in ICS Controllers and Software - SecurityWeek
securityweek.com
Open sourceRockwell Automation CompactLogix | CISA
cisa.gov
Open sourceSD1773 | Security Advisory | Rockwell Automation | US
rockwellautomation.com
Open sourceRockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP | CISA
cisa.gov
Open sourceRockwell Automation FactoryTalk Analytics PavilionX | CISA
cisa.gov
Open sourceSD1776 | Security Advisory | Rockwell Automation | US
rockwellautomation.com
Open sourceRockwell Automation FLEX I/O EtherNet/IP Adapters | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS Advisories Flag High-Severity DoS Flaws in Rockwell Automation ArmorStart LT and ControlLogix
CISA published ICS advisories warning that multiple **Rockwell Automation** products contain remotely triggerable vulnerabilities that can cause **denial-of-service (DoS)** conditions. In *ArmorStart LT* (models **290D/291D/294D** running **<= v2.002**), CISA lists multiple CVEs (including **CVE-2025-9464/9465/9466** and **CVE-2025-9278** through **CVE-2025-9283**) tied to **uncontrolled resource consumption** (CWE-400). The issue can be triggered during fuzzing of multiple **CIP** classes, causing the device’s CIP port to become unresponsive; CISA rates the condition **CVSS 7.5 (HIGH)**. A separate CISA advisory covers *ControlLogix* **1756-RM2** and **1756-RM2XT** Redundancy Enhanced Modules (firmware **all versions**) impacted by **CVE-2025-14027**, described as resource-exhaustion and memory-management problems (CWE-401) that can be triggered via crafted inputs such as malformed **Class 3** messages. Exploitation may render devices unresponsive and can lead to a major nonrecoverable fault requiring a restart; CISA also rates this **CVSS 7.5 (HIGH)** and notes broad deployment across multiple critical infrastructure sectors. A separate report about a **Johnson Controls Metasys** **SQL injection** vulnerability (**CVE-2025-26385**, **CVSS 10**) is a different vendor/product and is not part of the Rockwell advisories described above.
Mar 21, 2026
Multiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
Mar 21, 2026
CISA Releases Multiple Industrial Control Systems Vulnerability Advisories
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a series of advisories addressing newly discovered vulnerabilities in a wide range of industrial control systems (ICS) products. These advisories, released between October 13 and 21, 2025, cover products from major vendors such as Rockwell Automation, Siemens, Schneider Electric, Delta Electronics, Hitachi Energy, and Oxford Nanopore Technologies. The advisories provide technical details about the vulnerabilities, including affected versions, potential impacts, and recommended mitigations. For Rockwell Automation, advisories were published for products including the 1783-NATR, Compact GuardLogix 5370, 1715 EtherNet/IP, ArmorStart AOP, FactoryTalk Linx, FactoryTalk View Machine Edition, and PanelView Plus 7 Terminal, with some vulnerabilities identified by specific CVEs such as CVE-2025-9063 and CVE-2025-9064. Siemens products affected include SIMATIC S7-1200 CPU V1/V2 Devices, RUGGEDCOM ROS Devices, HyperLynx, Industrial Edge App Publisher, SIMATIC ET 200SP Communication Processors, SINEC NMS, SiPass Integrated, Solid Edge SE2024 and SE2025, and TeleControl Server Basic. Schneider Electric advisories addressed issues in Pro-Face GP-Pro EX and Remote HMI, Modicon Controllers, Advanced Reporting and Dashboards Module for EcoStruxure Power Operation, and EcoStruxure Power Monitoring Expert (PME) across several versions. Additional advisories were released for CloudEdge Online Cameras and App, Raisecomm RAX701-GC Series, and Oxford Nanopore Technologies MinKNOW. The advisories detail the nature of the vulnerabilities, which range from improper input validation to authentication bypass and remote code execution risks. CISA and the Canadian Centre for Cyber Security both urge ICS users and administrators to review the advisories, apply recommended mitigations, and update affected systems to reduce the risk of exploitation. The coordinated release of these advisories highlights the ongoing threat landscape facing critical infrastructure and the need for timely patch management. Many of the vulnerabilities could allow attackers to gain unauthorized access, disrupt operations, or compromise sensitive industrial processes. The advisories include links to technical documentation and vendor updates, enabling organizations to assess their exposure and take immediate action. The affected products are widely deployed in sectors such as manufacturing, energy, and utilities, increasing the urgency for remediation. CISA’s advisories are part of a broader effort to enhance the security posture of industrial environments against evolving cyber threats. The inclusion of both new and updated advisories for previously disclosed vulnerabilities demonstrates the dynamic nature of ICS security. Organizations are reminded to follow best practices for ICS security, including network segmentation, access control, and regular vulnerability assessments. The advisories also emphasize the importance of monitoring for signs of exploitation and maintaining up-to-date incident response plans. By addressing these vulnerabilities promptly, asset owners can help safeguard critical infrastructure from potential cyberattacks.
Mar 21, 2026