Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Single crafted CIP packet over the network with no auth or UI causes an unrecoverable controller crash - availability-only impact, hence A:H and C:N/I:N.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A denial of service security issue exists in the affected product. The security issue stems from a fault occurring when a crafted CIP message is sent. Devices with less memory are more likely to be affected. This can result in a major nonrecoverable fault (MNRF). A program download is required to recover.
AnalysisAI
Remote denial of service in Rockwell Automation CompactLogix and ControlLogix programmable automation controllers allows unauthenticated attackers on the network to crash the device by sending a single crafted Common Industrial Protocol (CIP) message. The fault produces a Major Non-Recoverable Fault (MNRF) that requires a full program download to recover, meaning an outage continues until an engineer physically intervenes. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 and OT impact make this a priority patch for affected plant floors.
Technical ContextAI
CompactLogix and ControlLogix are Rockwell Automation's flagship Allen-Bradley PAC/PLC families used to control industrial processes; both speak the Common Industrial Protocol (CIP) carried over EtherNet/IP (TCP/UDP 44818, UDP 2222). CWE-404 (Improper Resource Shutdown or Release) indicates the controller firmware fails to cleanly release or bound a resource while parsing or dispatching a malformed CIP message, exhausting memory or corrupting state on the controller's real-time OS. Rockwell explicitly notes that controllers with less RAM are more susceptible, which is consistent with a resource-exhaustion or out-of-memory crash path rather than a deterministic logic bug. The MNRF outcome is the controller's safety state when the kernel detects unrecoverable inconsistency, and clearing it requires re-downloading the user program from Studio 5000 - an inherently disruptive recovery on a production line.
RemediationAI
Patch available per vendor advisory - consult Rockwell SD1772 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1772.html) for the fixed firmware revisions corresponding to each CompactLogix and ControlLogix catalog number and schedule an upgrade window, since firmware updates require the controller to be placed in Program mode. Where immediate patching is not feasible, restrict CIP/EtherNet/IP traffic (TCP/UDP 44818, UDP 2222) to known engineering workstations and HMIs using an industrial firewall or the controller's built-in CIP Security if licensed, accepting the trade-off that legitimate engineering tools outside the allowlist will lose connectivity. Enforce Purdue-model segmentation so that CompactLogix and ControlLogix devices are not reachable from the enterprise network or the internet, and disable any unused EtherNet/IP-facing modules. Treat Shodan-exposed controllers as an emergency: they should be removed from the public internet before any other mitigation, since a single packet causes an MNRF requiring on-site program download to restore.
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37112
GHSA-mc6f-7cr6-6cwg