CISA Warns of Denial-of-Service Vulnerability in Rockwell Automation Communication Modules
CISA has issued a critical advisory for Rockwell Automation's 1756 communication modules, warning of a denial-of-service vulnerability that could disrupt industrial control systems.

CISA has released an urgent advisory detailing a critical denial-of-service (DoS) vulnerability affecting several Rockwell Automation communication modules used in industrial control systems (ICS). The vulnerability, identified as CVE-2026-9653, impacts the 1756-EN2, 1756-EN3, and 1756-ENBT modules, posing a significant risk to critical infrastructure sectors, particularly in manufacturing.
The core of the issue lies in the "Improper Validation of Integrity Check Value" within the modules' handling of CIP Implicit Connection packets. An unauthenticated attacker with network access can exploit this flaw by sending specially crafted packets. Successful exploitation would allow the attacker to disrupt device connections, leading to a denial-of-service condition. While the advisory notes that device connections will recover immediately after the disruption, repeated attacks could cause significant operational downtime and impact industrial processes.
The affected versions include Rockwell Automation 1756-EN3 and 1756-EN2 up to version V12.001, and the 1756-ENBT module at version V6.006. The Common Vulnerability Scoring System (CVSS) v3.1 base score for this vulnerability is 7.5 (High), with a CVSS v4.0 score of 8.7 (High), highlighting the severity of the potential impact. These modules are deployed worldwide across various critical manufacturing facilities.
Rockwell Automation has provided specific remediation guidance. For the 1756-EN3 and 1756-EN2 modules, the recommended action is to update to version V12.002. However, the advisory notes that the 1756-ENBT module is discontinued, and no fix is available for this specific product. This leaves facilities relying on the ENBT module with limited options beyond potential replacement or network segmentation.
CISA strongly advises organizations to implement defensive measures to mitigate the risk of exploitation. These recommendations include minimizing network exposure for all control system devices, ensuring they are not accessible from the internet, and locating ICS networks behind firewalls, isolating them from business networks. Secure remote access methods, such as updated VPNs, should be employed when necessary, with an understanding that VPNs are only as secure as the connected devices.
While no known public exploitation of CVE-2026-9653 has been reported to CISA at this time, the nature of ICS vulnerabilities means that proactive patching and robust network security practices are paramount. The advisory also reminds organizations to conduct thorough impact analyses and risk assessments before deploying any defensive measures.
This advisory underscores the ongoing challenges in securing legacy industrial control systems. The discontinuation of the ENBT module and the lack of a patch for it present a particular concern for organizations that have not yet migrated away from this hardware. The vulnerability, reported by Tyler Lentz of Idaho National Laboratory, serves as a reminder of the persistent threats targeting operational technology (OT) environments.