CVE-2017-12092
Description
An exploitable file write vulnerability exists in the memory module functionality of Allen Bradley Micrologix 1400 Series B FRN 21.2 and before. A specially crafted packet can cause a file write resulting in a new program being written to the memory module. An attacker can send an unauthenticated packet to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated file write vulnerability in Allen Bradley Micrologix 1400 memory module allows attackers to write arbitrary programs.
Vulnerability
The vulnerability exists in the memory module functionality of Allen Bradley Micrologix 1400 Series B firmware versions FRN 21.2 and before. When a memory module is installed, the PLC can be instructed to write its program to the module without authentication. An attacker can send a specially crafted unauthenticated packet to trigger a file write, resulting in a new program being written to the memory module. This affects Micrologix 1400 Series B FRN 15, 21.0, and 21.2 [1].
Exploitation
An attacker can send an unauthenticated packet over the network to the PLC's EtherNet/IP port (default 44818) to exploit this vulnerability. No authentication or user interaction is required. The attack has a CVSS attack complexity of High (AC:H) due to the need for correct network timing and knowledge of the specific protocol, but the proof-of-concept script demonstrates the steps [1].
Impact
Successful exploitation allows an attacker to write a new program to the memory module, which can be set to load on power-up. This can be leveraged to change device settings and flash new firmware, potentially leading to full compromise of the PLC's programming. The impact is limited to integrity, with CVSSv3 score 3.7 (Low) [1].
Mitigation
Rockwell Automation has not released a public patch as of the advisory date. Users should ensure the Micrologix 1400 is not directly accessible from untrusted networks, and use network segmentation and firewall rules to restrict access to the EtherNet/IP port. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= FRN 21.2
- Talos/Allen Bradleyv5Range: Allen Bradley Micrologix 1400 Series B FRN 21.2 Allen Bradley Micrologix 1400 Series B FRN 21.0 Allen Bradley Micrologix 1400 Series B FRN 15
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check on the "store to EEPROM" PCCC command allows an unauthenticated attacker to write the PLC program to the memory module."
Attack vector
An attacker sends a specially crafted EtherNet/IP packet containing a PCCC command with function code 0x58 ("store to EEPROM") to the PLC on port 44818. No authentication is required. The attacker first registers a session, sets the CPU to program mode (function 0x80 with data 0x01), then sends the store-to-EEPROM instruction. This causes the PLC to write its current program to the memory module without any authorization check [ref_id=1].
Affected code
The vulnerability resides in the memory module functionality of the Allen Bradley Micrologix 1400 Series B (FRN 21.2 and before). The device accepts an unauthenticated CIP/PCCC instruction (function code 0x58) that instructs the PLC to store its program to the installed memory module (EEPROM) [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory recommends monitoring traffic to and from the Micrologix 1400 and implementing proper network segmentation to prevent unauthorized access. The advisory notes that simply disabling EtherNet/IP through RSLogix will not prevent this attack, as it uses a different technique from standard traffic [ref_id=1].
Preconditions
- configA memory module must be physically installed in the Micrologix 1400 PLC
- networkAttacker must have network access to the PLC's EtherNet/IP port (default 44818)
- authNo authentication or prior knowledge of credentials is required
Reproduction
The advisory includes a full Python proof-of-concept script. The attacker runs the script against the target PLC IP address (default port 44818). The script connects, registers a session, sets the CPU to program mode, then sends a PCCC instruction with command 0x0F, function 0x58, and data "\x01\x00\x00\x00" to store the program to the memory module [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0444mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.