Skip to main content

ControlLogix 5580 CVE-2026-9636

| EUVDEUVD-2026-43709 HIGH
Improper Check for Certificate Revocation (CWE-299)
2026-07-14 Rockwell GHSA-fvq9-7g3p-r5g2
8.2
CVSS 4.0 · Vendor: Rockwell
Share

Severity by source

Vendor (Rockwell) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N) but AC:H because the attacker must hold a certificate under a revoked intermediate; the trust bypass yields confidentiality impact only (C:H, I:N/A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Rockwell).

CVSS VectorVendor: Rockwell

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 16:03 vuln.today
CVE Published
Jul 14, 2026 - 15:11 cve.org
HIGH 8.2

DescriptionCVE.org

A security issue exists within CompactLogix® 5380, ControlLogix® 5580, and EN4 communication modules related to CIP Security certificate revocation handling. The security issue stems from the controller failing to properly reject certificates signed by an intermediate certificate that has been revoked via a Certificate Revocation List (CRL). This could allow a network-based attacker to establish a connection using a certificate that should be untrusted, potentially bypassing CIP Security protections.

AnalysisAI

Certificate revocation bypass in Rockwell Automation ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, and 1756-EN4TR (EN4) communication modules allows a network-based attacker to establish a CIP Security connection using a certificate whose issuing intermediate CA has been revoked. Because the controller does not honor the Certificate Revocation List (CRL) for a revoked intermediate, an attacker holding such a certificate can present it as trusted and bypass CIP Security authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain certificate under revoked intermediate CA
Delivery
Reach controller CIP Security interface over network
Exploit
Present certificate during CIP/TLS handshake
Execution
Controller skips CRL revocation check
Persist
Establish trusted CIP Security session
Impact
Bypass authentication protections

Vulnerability AssessmentAI

Exploitation Exploitation requires that CIP Security is enabled/configured on the target controller and that the attacker possesses a valid end-entity certificate whose signing intermediate CA has been revoked via a CRL - i.e., a certificate that chains to a now-untrusted intermediate. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N) frames this as network-reachable and unauthenticated but high-complexity: exploitation carries an explicit Attack Requirement (AT:P) and high complexity (AC:H) because the attacker must actually possess a certificate signed by a specific intermediate CA that was later revoked - a non-trivial precondition implying prior legitimate issuance or CA compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains an end-entity certificate signed by an intermediate CA that the operator has since revoked via CRL connects to a CompactLogix/ControlLogix controller over EtherNet/IP. Because the controller does not check the intermediate's revocation status, it accepts the certificate as trusted and the attacker establishes a CIP Security session that should have been rejected, bypassing intended authentication. …
Remediation Patch available per vendor advisory: apply the corrected firmware for the affected ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, and 1756-EN4TR products as documented in Rockwell Automation advisory SD1788 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1788.html); the exact fixed firmware version is not stated in the available data and should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all instances of affected controllers (ControlLogix 5580, CompactLogix 5380, GuardLogix 5580, Compact GuardLogix 5380, 1756-EN4TR modules) and their network connectivity status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy