{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/controllogix-5580/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2025-12011"},{"id":"CVE-2025-12012"},{"id":"CVE-2025-11698"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CompactLogix 5370","Compact GuardLogix 5370","ControlLogix 5570","GuardLogix 5570","CompactLogix 5380","Compact GuardLogix 5380","CompactLogix 5480","ControlLogix 5580","GuardLogix 5580","CompactLogix 5380 Recovery Image","Compact GuardLogix 5380 Recovery Image","CompactLogix 5480 Recovery Image","ControlLogix 5580 Recovery Image","GuardLogix 5580 Recovery Image"],"_cs_severities":["medium"],"_cs_tags":["ics","scada","denial-of-service","critical-manufacturing","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Rockwell Automation"],"content_html":"\u003cp\u003eCISA has released an advisory detailing critical denial-of-service (DoS) vulnerabilities (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) affecting numerous Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix controllers and their recovery images. These vulnerabilities, identified as buffer overflows (CWE-120), allow a remote malicious user to trigger a Major Non-Recoverable Fault (MNRF) by introducing specially crafted invalid project data or files. The affected products are widely deployed in Critical Manufacturing sectors globally. Successful exploitation can halt industrial processes, leading to significant operational disruption. Affected versions include CompactLogix 5370 \u0026lt;=V35.015, ControlLogix 5570 \u0026lt;=V35.015, CompactLogix 5380 \u0026lt;=V35.011, ControlLogix 5580 \u0026lt;=V35.011, and various associated recovery images \u0026lt;=1.072.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains network access to the targeted Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, or GuardLogix controller.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious project file or invalid file data designed to trigger a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker transmits the crafted invalid project file to the controller for loading (CVE-2025-12011).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker writes the invalid file data to the controller (CVE-2025-12012).\u003c/li\u003e\n\u003cli\u003eThe vulnerable controller attempts to process the malformed input, leading to a buffer overflow condition (CWE-120).\u003c/li\u003e\n\u003cli\u003eThe buffer overflow corrupts the controller's memory or state.\u003c/li\u003e\n\u003cli\u003eThe controller enters a Major Non-Recoverable Fault (MNRF) state.\u003c/li\u003e\n\u003cli\u003eThe controller ceases normal operation, resulting in a denial-of-service condition for the controlled industrial process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities leads directly to a denial-of-service condition within Rockwell Automation industrial control systems. When a controller enters a Major Non-Recoverable Fault (MNRF), it ceases operation, which can bring critical industrial processes to a halt. This directly impacts operational technology (OT) environments, potentially causing production downtime, equipment damage, safety hazards, and significant financial losses for organizations within Critical Manufacturing sectors worldwide. Given the widespread deployment of these controllers, a successful attack could have broad implications for industrial stability and supply chains.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698 by updating affected Rockwell Automation products to the recommended fixed versions immediately.\u003c/li\u003e\n\u003cli\u003eFor CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570, update to V35.016, V36.011, or later.\u003c/li\u003e\n\u003cli\u003eFor CompactLogix 5380, Compact GuardLogix 5380, CompactLogix 5480, ControlLogix 5580, and GuardLogix 5580, update to V34.014, V35.013, V36.011, or later.\u003c/li\u003e\n\u003cli\u003eFor Recovery Images, update to boot firmware 1.072 or greater; versions V36.013, V37.011, and later already include the corrected boot firmware.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T16:09:12Z","date_published":"2026-07-16T16:09:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rockwell-automation-ics-dos/","summary":"Multiple Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix product versions are vulnerable to denial-of-service conditions through CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698, which an attacker can exploit via buffer overflows by loading invalid project files or writing invalid data, causing controllers to enter a major non-recoverable fault.","title":"Rockwell Automation CompactLogix and ControlLogix Vulnerabilities Lead to Denial-of-Service","url":"https://feed.craftedsignal.io/briefs/2026-07-rockwell-automation-ics-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - ControlLogix 5580","version":"https://jsonfeed.org/version/1.1"}