Skip to main content

CompactLogix 5370 CVE-2025-11694

| EUVDEUVD-2025-210167 HIGH
Improper Validation of Integrity Check Value (CWE-354)
2026-06-16 Rockwell GHSA-9r9c-rxhr-5hcg
8.7
CVSS 4.0 · Vendor: Rockwell
Share

Severity by source

Vendor (Rockwell) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable, unauthenticated CIP traffic with no UI; impact is a recoverable 'minor fault' (partial, temporary availability loss), so A:L and C/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Rockwell).

CVSS VectorVendor: Rockwell

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 15:26 vuln.today

DescriptionCVE.org

A security issue exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses in the CIP protocol. This allows attacker to abuse the exposed Connection ID’s visible on the web interface to perform denial-of-service attacks, resulting in a minor fault.

AnalysisAI

Denial-of-service in Rockwell Automation 1769 CompactLogix 5370 controllers allows remote unauthenticated attackers to induce a minor fault on the PLC by abusing Connection IDs exposed via the device's web interface and sending forged CIP traffic. The CVSS 4.0 base score of 8.7 reflects high availability impact with no authentication or user interaction required, and no public exploit has been identified at time of analysis.

Technical ContextAI

The 1769 CompactLogix 5370 is a programmable logic controller (PLC) family from Rockwell Automation used in industrial control systems, communicating over the Common Industrial Protocol (CIP) - typically encapsulated in EtherNet/IP on TCP/UDP 44818 and 2222. The vulnerability is a CWE-354 (Improper Validation of Integrity Check Value) class flaw: the controller's CIP stack does not validate sequence numbers or source IP addresses on incoming traffic for established CIP connections, while the device's HTTP-accessible diagnostic web interface discloses the active Connection IDs. An attacker who can read these Connection IDs can craft CIP packets that the controller accepts as legitimate session traffic, allowing forged messages to disrupt the active connection.

RemediationAI

Patch availability is not explicitly stated in the provided input - consult Rockwell advisory SD1776 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1776.html) for vendor-released firmware updates for the 1769 CompactLogix 5370 family. Until a patched firmware is applied, restrict access to the controller's embedded web interface by blocking HTTP/HTTPS to the device from any host that does not require diagnostic access (this removes the Connection ID disclosure that enables the attack but breaks browser-based diagnostics); segment the controller onto an isolated OT VLAN with strict IP allow-listing for CIP traffic on TCP/UDP 44818 and CIP class 1 I/O on UDP 2222; and deploy a CIP-aware industrial firewall or IDS (e.g., Cisco Cyber Vision, Claroty CTD, Dragos) to detect forged sequence numbers and source-IP mismatches on established CIP connections. Do not expose any CompactLogix interface to the internet.

Share

CVE-2025-11694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy