Source linked

Crafted CIP Message Can Crash Rockwell Logix PLCs, No Auth Needed

cisa.gov@threat_watch1 hour ago·Cybersecurity·2 comments

A denial-of-service vulnerability in Rockwell's CompactLogix and ControlLogix controllers allows remote attackers to trigger a major nonrecoverable fault using a single crafted CIP packet.

rockwell automationcisacve 2026 11317ics securitydenial of servicecritical manufacturing

A single crafted CIP message sent over the network, with no authentication required, can crash Rockwell Automation’s CompactLogix 5370 and ControlLogix 5570 controllers into a major nonrecoverable fault (MNRF). That fault forces a program download to recover, meaning production lines stop dead until an engineer physically or remotely reloads the logic. CISA published ICSA-26-167-03 on June 16, 2026, assigning CVE-2026-11317 with CVSS 3.1 base score 7.5 (HIGH) and CVSS 4.0 base score 8.7 (HIGH).

The Vulnerability: CVE-2026-11317

Rockwell’s Logix family - CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570 - share a common flaw in how they handle CIP (Common Industrial Protocol) messages. The problem is an improper resource shutdown or release (CWE-404). Send a crafted CIP packet and the controller’s resource management fails, triggering the MNRF. Devices with less memory are more likely to be affected, per the advisory.

No authentication, no special privileges, no user interaction. The attack vector is network-based (AV:N) with low complexity (AC:L). The only impact is availability (A:H) - no data theft, no integrity loss - but for a PLC on a manufacturing line, availability is everything.

Affected Gear and Patches

Rockwell has already shipped fixes. Here are the versions you need:

  • CompactLogix 5370: update to 34.016 or later
  • Compact GuardLogix 5370: update to 35.015 or later
  • ControlLogix 5570: update to 36.012 or later
  • GuardLogix 5570: update to 37.011 or later

If you are running any version below those thresholds, your controllers are vulnerable. Rockwell’s security advisory SD1772 (linked in the CISA note) contains the full details. No workaround other than patching or network segmentation is offered.

Why It Matters for Critical Manufacturing

Rockwell is deployed worldwide across critical manufacturing sectors - automotive, food and beverage, oil and gas, you name it. CISA explicitly notes these devices are used globally with headquarters in the United States. A remote DoS that requires a manual reload is not a minor hiccup; it’s a production outage that can cascade into supply chain delays.

CISA recommends the usual defensive measures: isolate control system networks from the internet, use firewalls, and apply VPNs for remote access. But the real takeaway is that a CIP message - a protocol intrinsic to Rockwell’s ecosystem - can be weaponized. No known public exploitation as of the advisory date, but CVSS 8.7 under 4.0 metrics means the severity is high enough that exploit code will likely surface in public tooling sooner rather than later.

Anyone running these controllers on an exposed network needs to treat this advisory as a priority upgrade, not a routine patch cycle.

Source: Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Stack Overflow in Rockwell RSLinx Classic Opens Door to Remote Code Execution

CVE-2020-13573 scores 8.7 under CVSS 4.0 and impacts critical infrastructure sectors: manufacturing, energy, food/agriculture, and water/wastewater.

Critical Rockwell FLEX I/O Bug Lets Anyone Reset the Web Password via HTTP GET

CVE-2026-0647 scores a CVSS 9.4 - an unauthenticated attacker can change the embedded web server password with a single crafted HTTP GET request, gaining full control of the adapter.

Cloudflare DMARC Management GA Spots SPF Lookup Limits Before Email Breaks

New dashboard surfaces DMARC, SPF, DKIM, and BIMI record status in one view, and includes an SPF lookup audit that catches the silent 10-lookup limit before it causes permerror.

Anthropic's Fable 5 Shutdown Undercuts Cybersecurity Defense

Mozilla and Cloudflare used Anthropic's Mythos and Fable models to find hundreds of vulnerabilities. Now the US has blocked the models for all users.

Comments load interactively on the live page.