CVE-2017-12090
Description
An exploitable denial of service vulnerability exists in the processing of snmp-set commands of the Allen Bradley Micrologix 1400 Series B FRN 21.2 and below. A specially crafted snmp-set request, when sent without associated firmware flashing snmp-set commands, can cause a device power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A specially crafted SNMP-set request to Allen Bradley Micrologix 1400 Series B (FRN ≤21.2) causes a device power cycle, leading to denial of service.
Vulnerability
The vulnerability resides in the SNMP-set processing of Allen Bradley Micrologix 1400 Series B programmable logic controllers running firmware versions FRN 21.2 and below. Setting the OID .1.3.6.1.4.1.95.2.3.1.1.1.1.0 to the integer 2 triggers an unscheduled device reboot, mimicking the initial step of a firmware update but without performing any flashing operations. This OID is normally used during legitimate firmware updates. Affected firmware versions include FRN 21.2, 21.0, and 15; versions 16.2 and below support both SNMPv1 and SNMPv2c, while version 21.0 and later only support SNMPv1 for this functionality [1].
Exploitation
An attacker must possess a privileged SNMP community string to send the malicious SNMP-set request. Notably, the backdoor community string 'wheel' (disclosed in CVE-2016-5645) can be used even if the administrator has changed the default 'private' string. The attacker sends a single SNMP packet (SNMPv1 or SNMPv2c depending on firmware) setting the target OID to 2. No additional authentication or user interaction is required beyond network access to the device [1].
Impact
Successful exploitation causes the device to immediately power cycle, resulting in a denial of service (downtime). The device reboots without loading new firmware, so it returns to normal operation after the reboot, but the interruption can disrupt industrial processes. No data confidentiality or integrity is compromised; only availability is affected [1].
Mitigation
As of the publication of the Talos advisory (2017-12-05), no firmware patch was available. Users should restrict SNMP access to trusted hosts via network segmentation and firewall rules, change community strings from defaults, and monitor for vendor updates from Rockwell Automation. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= FRN 21.2
- Talos/Allen Bradleyv5Range: Allen Bradley Micrologix 1400 Series B FRN 21.2, Allen Bradley Micrologix 1400 Series B FRN 21.0, Allen Bradley Micrologix 1400 Series B FRN 15
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incorrect behavior order: the device processes a firmware-flash SNMP OID set command and reboots even when no actual firmware flashing operations follow [CWE-696]."
Attack vector
An attacker sends a single SNMP-set request setting OID .1.3.6.1.4.1.95.2.3.1.1.1.1.0 to the integer value 2 [ref_id=1]. This OID is normally set to 2 right before a firmware update reboot, but sending it alone (without the associated firmware-flashing commands) causes the device to reboot and power cycle, resulting in a denial of service [ref_id=1]. The attack requires a privileged SNMP community string; however, the backdoor string 'wheel' (disclosed in CVE-2016-5645) can be used even if the 'private' string has been changed [ref_id=1]. The vulnerability is exploitable over the network via SNMPv1 (and SNMPv2c on firmware versions 16.2 and below) [ref_id=1].
Affected code
The vulnerability lies in the SNMP OID .1.3.6.1.4.1.95.2.3.1.1.1.1.0, which is used during firmware update operations on the Allen Bradley Micrologix 1400 Series B. The advisory does not specify a particular source file or function name, but identifies that the device processes this OID's value to trigger a reboot and enter a flashing state [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code. The vendor was disclosed the vulnerability on 2017-09-22 and the report was publicly released on 2018-03-28 [ref_id=1]. No fix details are provided in the advisory; users are advised to consult the vendor for firmware updates that correct the behavior order issue [ref_id=1].
Preconditions
- networkAttacker must have network access to the target device's SNMP port (default 161)
- authAttacker must possess a privileged SNMP community string (e.g., 'wheel' backdoor or 'private')
- configTarget device must be an Allen Bradley Micrologix 1400 Series B with FRN 21.2 or below
- inputAttacker sends a single SNMP-set packet with OID .1.3.6.1.4.1.95.2.3.1.1.1.1.0 set to integer 2
Reproduction
The advisory provides two PoC methods [ref_id=1]. Method 1: Use the snmpset command: `snmpset -c wheel -v 1
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0442mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.