CVE-2017-12089
Description
An exploitable denial of service vulnerability exists in the program download functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a device fault resulting in halted operations. An attacker can send an unauthenticated packet to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Allen Bradley Micrologix 1400 program download flaw allows unauthenticated DoS via crafted packet, halting device operations.
Vulnerability
A denial of service vulnerability exists in the program download functionality of Allen Bradley Micrologix 1400 Series B, firmware versions FRN 21.2, 21.0, and 15. The bug occurs when the device receives an Execute Command List packet during a standard download process without the accompanying download complete packet, causing the PLC to enter a fault state [1].
Exploitation
An unauthenticated attacker can send a specially crafted Execute Command List packet over EtherNet/IP (port 44818) to the target PLC. The device must be in the REMOTE keyswitch mode for the attack to succeed [1]. No prior authentication is required.
Impact
Successful exploitation forces the PLC to halt in the download state for approximately one minute, after which it transitions into a permanent fault state, resulting in denial of service (loss of operational capability) [1].
Mitigation
No fix has been publicly released for this vulnerability at the time of publication. Users should restrict network access to the affected devices, use firewalls to limit EtherNet/IP traffic to trusted sources, and monitor for unauthorized packets [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= FRN 21.2
- Talos/Allen Bradleyv5Range: Allen Bradley Micrologix 1400 Series B FRN 21.2, Allen Bradley Micrologix 1400 Series B FRN 21.0, Allen Bradley Micrologix 1400 Series B FRN 15
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing state-machine validation in the program download routine allows an incomplete download sequence to trigger a device fault."
Attack vector
An unauthenticated attacker on the network sends a single specially crafted EtherNet/IP packet containing the 'Execute Command List' command (PCCC function 0x88) to the PLC on TCP port 44818 [ref_id=1]. The attacker must first register a CIP session and set the CPU to the PROG mode (keyswitch must be in REMOTE position). By omitting the expected 'download complete' packet, the PLC enters a download state for one minute and then transitions into a permanent fault state, halting all operations [ref_id=1]. No authentication is required beyond network access.
Affected code
The vulnerability resides in the program download routine of the Allen Bradley Micrologix 1400 Series B (FRN 21.2 and before). The device's firmware fails to properly handle an incomplete download sequence — specifically, it processes an 'Execute Command List' packet without requiring the corresponding 'download complete' packet [ref_id=1].
What the fix does
The advisory does not provide a patch or vendor fix details [ref_id=1]. The recommended remediation is to apply firmware updates from Rockwell Automation when they become available, and to mitigate exposure by restricting network access to the PLC (e.g., placing the device behind a firewall and disabling unused EtherNet/IP ports) [ref_id=1]. No code-level fix is shown in the available materials.
Preconditions
- configPLC keyswitch must be in REMOTE mode
- networkAttacker must have network access to TCP port 44818 on the PLC
- authNo authentication required
- inputAttacker must send a crafted EtherNet/IP packet with the Execute Command List command
Reproduction
The Talos advisory includes a full Python proof-of-concept script [ref_id=1]. The script connects to the PLC on TCP port 44818, registers a CIP session, sets the CPU to PROG mode, sends the Execute Command List packet (PCCC command 0x0F, function 0x88, with specific data bytes), and then closes the connection without sending a download complete packet. This causes the PLC to fault and halt operations [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0441mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.