CISA Warns of Two DoS Vulnerabilities in Rockwell Automation CompactLogix Controllers
CISA disclosed two vulnerabilities in Rockwell Automation CompactLogix 5370 controllers that could allow unauthenticated denial-of-service attacks, urging updates to version V38.011.
CISA has disclosed two security vulnerabilities affecting Rockwell Automation CompactLogix 5370 L1, L2, and L3 programmable logic controllers (PLCs), warning that successful exploitation could allow unauthenticated attackers to cause denial-of-service (DoS) conditions. The advisory, published on June 16, 2026, covers controllers running firmware versions prior to V38.011 and highlights flaws in the Common Industrial Protocol (CIP) implementation and the controller's web interface.
The first vulnerability, tracked as CVE-2025-11694, carries a CVSS v3.1 base score of 7.5 (HIGH). It stems from missing validation of sequence numbers and source IP addresses in the CIP protocol. An attacker can abuse exposed Connection IDs visible on the web interface to craft malicious CIP packets, triggering a minor fault that disrupts controller operations. The second flaw, CVE-2026-9307 (CVSS v3.1 score 5.3, MEDIUM), involves the exposure of CIP Connection IDs on the diagnostics webpage, accessible to any unauthenticated user on the network. This information leakage enables attackers to construct targeted DoS packets.
Both vulnerabilities were reported to CISA by Tyler Lentz of Idaho National Laboratory. The affected products are deployed worldwide across the Critical Manufacturing sector, with Rockwell Automation headquartered in the United States. The advisory notes that while the vulnerabilities are exploitable over the network with low complexity and no privileges required, they do not directly lead to data theft or system compromise beyond service disruption.
Rockwell Automation has released firmware version V38.011 to address both issues. Users can obtain the update through the Rockwell Automation Compatibility & Download Center. The company also published security advisory SD1776 with additional details. CISA recommends organizations minimize network exposure for all control system devices, ensuring they are not accessible from the internet, and isolating control system networks behind firewalls.
CISA has not reported active exploitation of these vulnerabilities in the wild, nor have they been added to the Known Exploited Vulnerabilities (KEV) catalog at this time. However, given the critical infrastructure context and the ease of exploitation (no authentication required), the agency urges prompt patching. The advisory also recommends using VPNs for remote access and following defense-in-depth strategies for industrial control systems.
This disclosure follows a pattern of increasing scrutiny on industrial control system (ICS) security, with CISA regularly publishing advisories for vulnerabilities in PLCs and other operational technology (OT) devices. The CompactLogix series is widely used in manufacturing environments, making timely patching essential to prevent production downtime or safety incidents.