CISA Warns of Multiple Denial-of-Service Vulnerabilities in Rockwell Automation Industrial Controllers
CISA has issued a critical advisory detailing three buffer overflow vulnerabilities in Rockwell Automation's widely used CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix industrial controllers, which could lead to denial-of-service conditions.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a significant advisory highlighting multiple vulnerabilities affecting Rockwell Automation's industrial control systems (ICS). The vulnerabilities, identified as CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698, are present in several product lines, including CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix controllers.
These vulnerabilities stem from a classic buffer overflow flaw, specifically a buffer copy without checking the size of the input. This weakness allows a remote attacker to potentially cause a denial-of-service (DoS) condition. The exploitation mechanism involves an attacker loading an invalid project file into the affected controller. Successful exploitation could cause the device to enter a major non-recoverable fault (MNRF), effectively halting operations.
The advisory lists a broad range of affected versions across multiple controller series. For the 5370 and 5570 series (CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix), versions up to V35.015 are impacted. For the 5380, 5480, and 5580 series (CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix), versions up to V34.012 and V35.011 are affected. Additionally, recovery images for these series up to version 1.072 are also vulnerable.
The potential impact of these vulnerabilities is severe, particularly for organizations relying on these Rockwell Automation products for critical infrastructure operations. A successful DoS attack could lead to significant operational disruptions, downtime, and potential financial losses. The CVSS v3.1 score for these vulnerabilities is rated as HIGH at 8.6, with a CVSS v4.0 score of 9.2 (CRITICAL), underscoring the urgency of remediation.
Rockwell Automation has provided specific remediation guidance. The company recommends updating affected controllers to newer versions. For the 5370/5380/5480/5570/5580 series, updates to V35.016, V36.011, or later are advised, depending on the specific product line. For recovery images, updating to boot firmware 1.072 or greater is recommended, with newer firmware versions (V36.013, V37.011, or later) already including the corrected boot firmware.
These vulnerabilities are categorized under CWE-120: Buffer Copy without Checking Size of Input. The widespread deployment of Rockwell Automation products in critical manufacturing sectors and across worldwide operations makes this advisory particularly concerning. The ability for an unauthenticated remote attacker to trigger a DoS condition without any user interaction (AV:N/AC:L/PR:N/UI:N) amplifies the risk.
Organizations utilizing these industrial controllers are strongly urged to review the CISA advisory and Rockwell Automation's recommendations promptly. Implementing the suggested updates is crucial to mitigate the risk of operational disruption and potential system compromise. The advisory also notes that these products are deployed in critical manufacturing sectors, emphasizing the potential impact on industrial operations.