Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N) but AC:H because the attacker must hold a certificate under a revoked intermediate; the trust bypass yields confidentiality impact only (C:H, I:N/A:N).
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A security issue exists within CompactLogix® 5380, ControlLogix® 5580, and EN4 communication modules related to CIP Security certificate revocation handling. The security issue stems from the controller failing to properly reject certificates signed by an intermediate certificate that has been revoked via a Certificate Revocation List (CRL). This could allow a network-based attacker to establish a connection using a certificate that should be untrusted, potentially bypassing CIP Security protections.
AnalysisAI
Certificate revocation bypass in Rockwell Automation ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, and 1756-EN4TR (EN4) communication modules allows a network-based attacker to establish a CIP Security connection using a certificate whose issuing intermediate CA has been revoked. Because the controller does not honor the Certificate Revocation List (CRL) for a revoked intermediate, an attacker holding such a certificate can present it as trusted and bypass CIP Security authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that CIP Security is enabled/configured on the target controller and that the attacker possesses a valid end-entity certificate whose signing intermediate CA has been revoked via a CRL - i.e., a certificate that chains to a now-untrusted intermediate. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N) frames this as network-reachable and unauthenticated but high-complexity: exploitation carries an explicit Attack Requirement (AT:P) and high complexity (AC:H) because the attacker must actually possess a certificate signed by a specific intermediate CA that was later revoked - a non-trivial precondition implying prior legitimate issuance or CA compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains an end-entity certificate signed by an intermediate CA that the operator has since revoked via CRL connects to a CompactLogix/ControlLogix controller over EtherNet/IP. Because the controller does not check the intermediate's revocation status, it accepts the certificate as trusted and the attacker establishes a CIP Security session that should have been rejected, bypassing intended authentication. … |
| Remediation | Patch available per vendor advisory: apply the corrected firmware for the affected ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, and 1756-EN4TR products as documented in Rockwell Automation advisory SD1788 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1788.html); the exact fixed firmware version is not stated in the available data and should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all instances of affected controllers (ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, 1756-EN4TR modules) and their network connectivity status. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-299 – Improper Check for Certificate Revocation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43709
GHSA-fvq9-7g3p-r5g2