Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity, no auth/interaction per vendor; availability-only impact with scope change since the controller fault propagates to the controlled physical process.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A denial-of-service issue exists in 5370/5570 controllers. This vulnerability could potentially allow a remote user to load an invalid project, causing the device to enter a major non-recoverable fault (MNRF).
AnalysisAI
Remote denial-of-service in Rockwell Automation CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570 controllers allows a remote user to push a malformed project file that forces the controller into a Major Non-Recoverable Fault (MNRF), halting the controlled process until manual recovery. The CVSS 4.0 score of 9.2 reflects high availability impact on both the controller and the downstream physical process (VA:H/SA:H) with no authentication or user interaction required per the vendor vector. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the loss of a safety-rated (GuardLogix) controller makes availability the dominant concern.
Technical ContextAI
The affected devices are Allen-Bradley Logix-family programmable automation controllers (PACs) used in industrial control and safety instrumented systems; the GuardLogix variants are SIL-rated safety controllers. The CPE (cpe:2.3:a:rockwell_automation:...compactlogix®_5370...guardlogix®_5570) confirms the CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570 lines. The vendor-supplied tag and CWE-120 (Classic Buffer Overflow / buffer copy without checking input size) indicate that parsing of an untrusted or malformed 'project' download overruns a fixed-size buffer in the controller firmware, corrupting execution state and triggering the controller's fail-safe MNRF condition rather than achieving code execution.
RemediationAI
Consult Rockwell advisory SD1781 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1781.html) for the fixed firmware revisions and upgrade the affected CompactLogix/ControlLogix/GuardLogix controllers to the vendor-patched version; the exact fix version is not present in the provided data, so treat this as 'patch available per vendor advisory' and verify the target revision against SD1781 before flashing. Because firmware upgrades on safety controllers require an outage and revalidation, apply compensating controls in the interim: restrict CIP/EtherNet-IP access to the controllers so only engineering workstations on a trusted OT subnet can perform project downloads (block the controller's programming path from IT and untrusted networks via firewall/ACL and CIP Security where supported), set the controller keyswitch to RUN to block remote mode changes and downloads where the process allows, and monitor for unexpected project download or connection attempts. Trade-off: keyswitch-in-RUN and download restrictions will block legitimate remote programming and require physical/on-site access for engineering changes.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210461
GHSA-m6r3-j7p8-mpv6