Rockwell Automation CompactLogix and ControlLogix Vulnerabilities Lead to Denial-of-Service
Multiple Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix product versions are vulnerable to denial-of-service conditions through CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698, which an attacker can exploit via buffer overflows by loading invalid project files or writing invalid data, causing controllers to enter a major non-recoverable fault.
CISA has released an advisory detailing critical denial-of-service (DoS) vulnerabilities (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) affecting numerous Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix controllers and their recovery images. These vulnerabilities, identified as buffer overflows (CWE-120), allow a remote malicious user to trigger a Major Non-Recoverable Fault (MNRF) by introducing specially crafted invalid project data or files. The affected products are widely deployed in Critical Manufacturing sectors globally. Successful exploitation can halt industrial processes, leading to significant operational disruption. Affected versions include CompactLogix 5370 <=V35.015, ControlLogix 5570 <=V35.015, CompactLogix 5380 <=V35.011, ControlLogix 5580 <=V35.011, and various associated recovery images <=1.072.
Attack Chain
- An attacker gains network access to the targeted Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, or GuardLogix controller.
- The attacker crafts a malicious project file or invalid file data designed to trigger a buffer overflow.
- The attacker transmits the crafted invalid project file to the controller for loading (CVE-2025-12011).
- Alternatively, the attacker writes the invalid file data to the controller (CVE-2025-12012).
- The vulnerable controller attempts to process the malformed input, leading to a buffer overflow condition (CWE-120).
- The buffer overflow corrupts the controller's memory or state.
- The controller enters a Major Non-Recoverable Fault (MNRF) state.
- The controller ceases normal operation, resulting in a denial-of-service condition for the controlled industrial process.
Impact
Successful exploitation of these vulnerabilities leads directly to a denial-of-service condition within Rockwell Automation industrial control systems. When a controller enters a Major Non-Recoverable Fault (MNRF), it ceases operation, which can bring critical industrial processes to a halt. This directly impacts operational technology (OT) environments, potentially causing production downtime, equipment damage, safety hazards, and significant financial losses for organizations within Critical Manufacturing sectors worldwide. Given the widespread deployment of these controllers, a successful attack could have broad implications for industrial stability and supply chains.
Recommendation
- Patch CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698 by updating affected Rockwell Automation products to the recommended fixed versions immediately.
- For CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570, update to V35.016, V36.011, or later.
- For CompactLogix 5380, Compact GuardLogix 5380, CompactLogix 5480, ControlLogix 5580, and GuardLogix 5580, update to V34.014, V35.013, V36.011, or later.
- For Recovery Images, update to boot firmware 1.072 or greater; versions V36.013, V37.011, and later already include the corrected boot firmware.