CISA Discloses Denial-of-Service Vulnerability in Rockwell Automation Logix 5370 and 5570 Controllers
CISA has disclosed CVE-2026-11317, a high-severity denial-of-service vulnerability in Rockwell Automation Logix 5370 and 5570 controllers that can cause a major nonrecoverable fault requiring a full program download to recover.
CISA has disclosed a new denial-of-service vulnerability affecting Rockwell Automation's CompactLogix 5370 and ControlLogix 5570 families of programmable logic controllers. Tracked as CVE-2026-11317 and carrying a CVSS v3.1 base score of 7.5 (High), the flaw resides in how the controllers handle resource shutdown when processing crafted Common Industrial Protocol (CIP) messages. Successful exploitation triggers a major nonrecoverable fault (MNRF), effectively bricking the device until a full program download is performed.
The vulnerability stems from an improper resource shutdown or release (CWE-404) that occurs when a specially crafted CIP packet is received. Devices with less memory are more likely to be affected, according to the advisory. The attack vector is network-based, requires no authentication, and no user interaction, making it exploitable by any attacker who can reach the controller over the network. The impact is limited to availability (denial of service), with no confidentiality or integrity compromise.
Affected products include CompactLogix 5370 versions up to and including 34.016, Compact GuardLogix 5370 versions up to 35.015, ControlLogix 5570 versions up to 35.015, and GuardLogix 5570 version 36.012. Rockwell Automation has released firmware updates to remediate the issue: CompactLogix 5370 users should update to version 34.016 or later, Compact GuardLogix 5370 to version 35.015 or later, ControlLogix 5570 to version 36.012 or later, and GuardLogix 5570 to version 37.011 or later. The vendor's security advisory SD1772 provides full details.
CISA recommends that organizations minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Control system networks should be located behind firewalls and isolated from business networks. When remote access is required, CISA advises using more secure methods such as Virtual Private Networks (VPNs), while noting that VPNs themselves may have vulnerabilities and should be kept updated. The agency also reminds organizations to perform proper impact analysis and risk assessment before deploying defensive measures.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. However, given the critical infrastructure sectors affected—primarily Critical Manufacturing—and the worldwide deployment of these controllers, the risk of targeted attacks remains significant. The vulnerability was reported to CISA by Rockwell Automation and was disclosed on June 16, 2026.
This disclosure follows a pattern of recent advisories from CISA targeting Rockwell Automation products, including a critical authentication bypass and DoS flaws in FLEX I/O adapters (CVE-2026-0647 and CVE-2026-0646) and a stack-based buffer overflow in RSLinx Classic (CVE-2020-13573). The cumulative effect underscores the importance of rigorous patch management and network segmentation in industrial control system environments, where unpatched vulnerabilities can lead to costly production downtime and safety risks.