CVE-2025-11694

Vulnerability

A security issue exists in Rockwell Automation 1769 CompactLogix controllers (CompactLogix 5370 L1, L2, L3) running firmware version V36. The vulnerability stems from missing validation of sequence numbers and source IP addresses in the CIP protocol. An attacker can abuse Connection IDs exposed on the controller's web interface (a separate information disclosure issue, CVE-2026-9307) to craft malicious CIP packets. The affected catalog numbers are 1769-L1x, 1769-L2x, and 1769-L3x. [1]

Exploitation

An unauthenticated attacker with network access to the affected controller can exploit this vulnerability. The attacker first obtains the exposed Connection IDs from the controller's diagnostics webpage (leveraging CVE-2026-9307). Using these IDs, the attacker sends specially crafted CIP packets with invalid sequence numbers or spoofed source IP addresses to the controller, triggering the denial-of-service condition. No authentication or prior user interaction is required. [1]

Impact

Successful exploitation causes a denial-of-service condition, resulting in a minor fault on the controller. The controller may enter a faulted state, disrupting normal control operations. The CVSS 3.1 base score is 7.5 (High), and the CVSS 4.0 base score is 8.7 (High). The known exploited vulnerability (KEV) status is No. [1]

Mitigation

Rockwell Automation has released firmware version V38.011 to address this vulnerability. Users should upgrade affected CompactLogix 5370 controllers (all L1, L2, L3 variants) from firmware V36 to V38.011 or later. The corrected version was published as part of security advisory SD1776. No workarounds are documented; upgrading is the recommended mitigation. [1]