<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>1756-ENBT V6.006 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/1756-enbt-v6.006/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 16:16:28 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/1756-enbt-v6.006/feed.xml" rel="self" type="application/rss+xml"/><item><title>Rockwell Automation Communication Modules Denial-of-Service Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-rockwell-automation-dos/</link><pubDate>Thu, 16 Jul 2026 16:16:28 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-rockwell-automation-dos/</guid><description>A denial-of-service vulnerability (CVE-2026-9653) in Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT communication modules, due to improper validation of CIP Implicit Connection packets, allows an unauthenticated network attacker to continuously disrupt device connections.</description><content:encoded><![CDATA[<p>CISA has issued an advisory regarding CVE-2026-9653, a denial-of-service vulnerability affecting Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT communication modules. This flaw stems from improper validation of Common Industrial Protocol (CIP) Implicit Connection packets. An unauthenticated attacker with network access can exploit this by sending specially crafted packets to the vulnerable modules, leading to a continuous disruption of device connections. Although connections will recover immediately after each disruption, persistent attacks can cause significant operational instability in industrial control systems. The vulnerability affects 1756-EN3 firmware versions up to V12.001, 1756-EN2 firmware versions up to V12.001, and 1756-ENBT firmware version V6.006. While no public exploitation has been reported at the time of the advisory, the vulnerability poses a high risk to critical manufacturing operations globally.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker establishes network access to the target Rockwell Automation 1756-EN2, 1756-EN3, or 1756-ENBT communication module.</li>
<li>The attacker crafts malicious Common Industrial Protocol (CIP) Implicit Connection packets designed to trigger the vulnerability.</li>
<li>The attacker sends these specially malformed packets across the network to the vulnerable module.</li>
<li>The communication module, due to improper validation of the integrity check value within the incoming packets, fails to process them correctly.</li>
<li>This malformed packet handling causes the communication module to enter a denial-of-service state, disrupting its active connections.</li>
<li>The attacker continues to send crafted packets, causing continuous disruption of device connections and instability in the industrial control system.</li>
<li>The final objective is to disrupt critical manufacturing processes by rendering the communication modules inoperable or unreliable.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-9653 could lead to a continuous denial-of-service condition affecting Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT communication modules. While device connections recover immediately after each disruption, an attacker can persistently send crafted packets, causing ongoing operational instability and intermittent loss of communication within critical industrial control systems. This could lead to disruptions in critical manufacturing sectors worldwide. No specific number of victims has been reported, but these modules are widely deployed globally.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update Rockwell Automation 1756-EN3 modules to V12.002 or later to mitigate CVE-2026-9653.</li>
<li>Update Rockwell Automation 1756-EN2 modules to V12.002 or later to mitigate CVE-2026-9653.</li>
<li>Minimize network exposure for all control system devices, including Rockwell Automation 1756-ENBT (which has no patch for CVE-2026-9653), by ensuring they are not accessible from the internet. Log sources like <code>network_connection</code> and <code>firewall</code> can help monitor access attempts.</li>
<li>Isolate control system networks from business networks and place them behind firewalls.</li>
<li>For remote access, utilize Virtual Private Networks (VPNs) and ensure they are updated to the most current version available.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>industrial-control-systems</category><category>ics</category><category>ot</category><category>vulnerability</category><category>denial-of-service</category><category>rockwell-automation</category></item></channel></rss>