Rockwell Automation GuardLogix and ControlLogix controllers Vulnerable to Denial-Of-Service Attack

Vulnerability

A vulnerability exists in certain Rockwell Automation Logix controllers where processing a malformed Common Industrial Protocol (CIP) request can trigger a major non-recoverable fault (MNRF). The affected products include multiple versions of ControlLogix, CompactLogix, and other Logix family controllers. An attacker can exploit this by sending a specially crafted CIP message to the controller without requiring authentication or prior knowledge of the system configuration [1].

Exploitation

An attacker with network access to the affected controller can send a malformed CIP request over the network. No authentication, session, or user interaction is required. The attack does not require any special privileges and can be carried out over Ethernet/IP connections commonly used in industrial control networks [1].

Impact

Successful exploitation causes a major non-recoverable fault (MNRF) on the controller, leading to a denial-of-service (DoS) condition. The controller may stop executing the control program, requiring manual intervention or power cycling to restore normal operation. This can result in unplanned downtime and potential safety risks in critical infrastructure environments [1].

Mitigation

Rockwell Automation has released a product notice (ID 1613) with details on affected controller firmware versions and recommended mitigations. Users should update their controller firmware to the versions specified in the advisory. As a workaround, network segmentation and access controls (e.g., firewall rules, VPNs) can be used to limit exposure to trusted networks only. The vendor advisory is available after logging in to the Rockwell Automation support portal [1].