How can users mitigate the risks associated with these vulnerabilities?

Users are advised to update their CompactLogix 5370 controllers to firmware version V38.011, which addresses these vulnerabilities. Additionally, implementing network segmentation and restricting access to the controllers can further mitigate risks.

Why is it crucial to address these vulnerabilities promptly?

Exploitation of these vulnerabilities could lead to denial-of-service conditions, disrupting industrial operations and potentially causing significant financial and reputational damage. Prompt remediation is essential to maintain system integrity and operational continuity.

Critical Vulnerabilities in Rockwell Automation's CompactLogix 5370 Controllers: Immediate Action Required

Q: What are the specific vulnerabilities disclosed in Rockwell Automation's CompactLogix 5370 controllers?

The vulnerabilities include CVE-2025-11694, which involves improper validation in the CIP protocol leading to potential denial-of-service attacks, and CVE-2026-9307, where the web server exposes CIP Connection IDs to unauthenticated users, also potentially leading to denial-of-service conditions.

Recent disclosures reveal critical vulnerabilities in Rockwell Automation's CompactLogix 5370 controllers that could lead to denial-of-service attacks. Learn about the risks and necessary mitigation steps.

Published: June 16, 2026

Share this on:

Executive Summary

In June 2026, Rockwell Automation disclosed two critical vulnerabilities affecting its CompactLogix 5370 series controllers, specifically models L1, L2, and L3. The first vulnerability, CVE-2025-11694, involves improper validation of sequence numbers and source IP addresses in the CIP protocol, allowing attackers to exploit exposed Connection IDs to induce denial-of-service conditions. The second, CVE-2026-9307, pertains to the exposure of sensitive system information through the controller's web server, which reveals CIP Connection IDs to unauthenticated users, potentially leading to similar denial-of-service attacks. Both vulnerabilities have been addressed in firmware version V38.011, and users are strongly advised to update their systems accordingly. (rockwellautomation.com)

These vulnerabilities underscore the persistent risks in industrial control systems, particularly in critical manufacturing sectors. The disclosure highlights the necessity for continuous monitoring, timely patch management, and adherence to cybersecurity best practices to safeguard operational technology environments from potential disruptions.

Why This Matters Now

The recent disclosure of these vulnerabilities in Rockwell Automation's CompactLogix controllers highlights the ongoing threats to industrial control systems. Immediate attention is required to update affected systems to firmware version V38.011 to prevent potential exploitation leading to operational disruptions.

Attack Path Analysis

An attacker exploited vulnerabilities in Rockwell Automation CompactLogix 5370 controllers to cause a denial-of-service condition. The attack began with the discovery of exposed CIP Connection IDs via the controller's web server, leading to the construction of malicious packets that triggered a major nonrecoverable fault, requiring a restart to recover.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Lowinferred

Command & Control

Lowinferred

Exfiltration

High

Impact

High

Initial Compromise

Description

The attacker accessed the controller's web server to obtain exposed CIP Connection IDs without authentication.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-11694
CVSS 8.7
Improper validation of sequence numbers and source IP addresses in the CIP protocol allows attackers to perform denial-of-service attacks, resulting in a minor fault.
Affected Products:
Rockwell Automation CompactLogix 5370 L1 – < V38.011
Rockwell Automation CompactLogix 5370 L2 – < V38.011
Rockwell Automation CompactLogix 5370 L3 – < V38.011
Exploit Status:
no public exploit
References:
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1776.html
CVE-2026-9307
CVSS 6.3
Exposure of CIP Connection IDs on the diagnostics webpage allows unauthenticated users to construct malicious packets, leading to denial-of-service.
Affected Products:
Rockwell Automation CompactLogix 5370 L1 – < V38.011
Rockwell Automation CompactLogix 5370 L2 – < V38.011
Rockwell Automation CompactLogix 5370 L3 – < V38.011
Exploit Status:
no public exploit
References:
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1776.html

MITRE ATT&CK® Techniques

Impact

T1498

Network Denial of Service

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Discovery

T1083

File and Directory Discovery

Discovery

T1040

Network Sniffing

Execution

T1203

Exploitation for Client Execution

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

NIST SP 800-53 – Cryptographic Key Establishment and Management

Control ID: SC-12

The exposure of sensitive system information without proper validation indicates inadequate cryptographic key management practices.

PCI DSS 4.0 – Security Vulnerabilities Identification

Control ID: 6.4.1

The vulnerabilities in the CompactLogix controllers highlight a failure to identify and address security vulnerabilities in system components.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the organization's cybersecurity policy, particularly in protecting against unauthorized access and data exposure.

DORA – ICT Risk Management Framework

Control ID: Article 5

The vulnerabilities indicate a lack of effective ICT risk management practices, as required under DORA's risk management framework.

CISA ZTMM 2.0 – Identity

Control ID: Pillar 1

The exposure of sensitive information to unauthorized users points to weaknesses in identity verification and access controls.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reflects inadequate implementation of cybersecurity risk management measures as mandated by the NIS2 Directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Industrial Automation

Critical exposure as CompactLogix controllers are core industrial automation components; DoS vulnerabilities threaten production continuity and operational technology systems.

Automotive

Manufacturing lines using Rockwell CompactLogix PLCs face production disruption risks from network-accessible denial-of-service attacks exposing CIP connection vulnerabilities.

Food Production

Processing facilities dependent on CompactLogix controllers vulnerable to network-based DoS attacks that could halt critical food safety and production processes.

Oil/Energy/Solar/Greentech

Energy infrastructure using affected PLCs exposed to remote denial-of-service attacks through unvalidated CIP protocols, risking operational disruption and safety systems.

Sources

Rockwell Automation CompactLogixhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-167-04
Verified

Rockwell Automation Security Advisory SD1776https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1776.html

Verified

Frequently Asked Questions

The vulnerabilities include CVE-2025-11694, which involves improper validation in the CIP protocol leading to potential denial-of-service attacks, and CVE-2026-9307, where the web server exposes CIP Connection IDs to unauthenticated users, also potentially leading to denial-of-service conditions.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit vulnerabilities in the Rockwell Automation CompactLogix 5370 controllers, thereby reducing the potential blast radius of such attacks.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Implementing Aviatrix CNSF would likely limit unauthorized access to the controller's web server, reducing the attacker's ability to exploit exposed CIP Connection IDs.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by restricting unauthorized interactions with the controller.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally by restricting unauthorized communications between controllers.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to maintain command and control over compromised controllers by restricting unauthorized outbound communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by restricting unauthorized outbound traffic.

Impact (Mitigations)

Aviatrix Zero Trust CNSF would likely limit the overall impact of the attack by reducing the attacker's ability to exploit vulnerabilities and propagate within the network.

Impact at a Glance

Affected Business Functions

Industrial Process Control
Manufacturing Operations
Supply Chain Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $500,000

Data Exposure

No sensitive data exposure reported.

Recommended Actions

• Implement Zero Trust Segmentation to restrict unauthorized access to critical systems.
• Deploy Inline IPS (Suricata) to detect and prevent malicious packet transmissions.
• Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities.
• Apply Secure Hybrid Connectivity (DCE) to ensure secure communication channels.
• Regularly update and patch systems to mitigate known vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerabilities in Rockwell Automation's CompactLogix 5370 Controllers: Immediate Action Required

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-11694

Affected Products:

Exploit Status:

References:

CVE-2026-9307

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Network Denial of Service

Application Layer Protocol: Web Protocols

File and Directory Discovery

Network Sniffing

Exploitation for Client Execution

Potential Compliance Exposure

NIST SP 800-53 – Cryptographic Key Establishment and Management

PCI DSS 4.0 – Security Vulnerabilities Identification

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Industrial Automation

Automotive

Food Production

Oil/Energy/Solar/Greentech

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads