Executive Summary
In January 2026, Rockwell Automation disclosed multiple vulnerabilities in its ArmorStart® LT motor control devices, specifically models 290D, 291D, and 294D up to and including version V2.002. These vulnerabilities, identified as CVE-2025-9464 through CVE-2025-9283, can lead to denial-of-service conditions. Exploitation methods include fuzzing of CIP classes, execution of Achilles Comprehensive grammar tests, and active scanning with tools like Burp Suite, causing devices to become unresponsive or reboot unexpectedly. (rockwellautomation.com)
The affected devices are widely used in the critical manufacturing sector globally. As of the disclosure, no patches or upgrades were available. Rockwell Automation recommends applying security best practices to mitigate risks, such as minimizing network exposure, placing devices behind firewalls, and using secure remote access methods like VPNs. (rockwellautomation.com)
Why This Matters Now
The disclosure of these vulnerabilities underscores the critical need for robust security measures in industrial control systems, especially in sectors like manufacturing where operational continuity is paramount. Organizations must proactively implement recommended mitigations to prevent potential disruptions and ensure the resilience of their operations.
Attack Path Analysis
An attacker exploits vulnerabilities in the ArmorStart® LT device by sending malformed CIP packets, leading to a denial-of-service condition. This disrupts the device's availability, causing unexpected reboots and loss of connectivity.
Kill Chain Progression
Initial Compromise
Description
The attacker sends specially crafted CIP packets to the ArmorStart® LT device, exploiting vulnerabilities that cause the device to become unresponsive.
Related CVEs
CVE-2025-9464
CVSS 8.7A security issue in ArmorStart® LT allows an attacker to cause a denial-of-service condition by fuzzing multiple CIP classes, rendering the CIP port unresponsive.
Affected Products:
Rockwell Automation ArmorStart LT 290D – <=V2.002
Rockwell Automation ArmorStart LT 291D – <=V2.002
Rockwell Automation ArmorStart LT 294D – <=V2.002
Exploit Status:
no public exploitCVE-2025-9465
CVSS 8.7A vulnerability in ArmorStart® LT can lead to a denial-of-service condition where the device reboots unexpectedly during Achilles Comprehensive grammar tests, causing the Link State Monitor to go down for several seconds.
Affected Products:
Rockwell Automation ArmorStart LT 290D – <=V2.002
Rockwell Automation ArmorStart LT 291D – <=V2.002
Rockwell Automation ArmorStart LT 294D – <=V2.002
Exploit Status:
no public exploitCVE-2025-9466
CVSS 8.7ArmorStart® LT is susceptible to a denial-of-service condition where the device reboots unexpectedly during Achilles EtherNet/IP and CIP grammar tests, causing the Link State Monitor to go down for several seconds.
Affected Products:
Rockwell Automation ArmorStart LT 290D – <=V2.002
Rockwell Automation ArmorStart LT 291D – <=V2.002
Rockwell Automation ArmorStart LT 294D – <=V2.002
Exploit Status:
no public exploitCVE-2025-9279
CVSS 8.7A vulnerability in ArmorStart® LT can result in a denial-of-service condition where the device reboots unexpectedly during Achilles EtherNet/IP Step Limit Storm tests, causing the Link State Monitor to go down for several seconds.
Affected Products:
Rockwell Automation ArmorStart LT 290D – <=V2.002
Rockwell Automation ArmorStart LT 291D – <=V2.002
Rockwell Automation ArmorStart LT 294D – <=V2.002
Exploit Status:
no public exploitCVE-2025-9280
CVSS 8.7ArmorStart® LT is vulnerable to a denial-of-service condition where fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot.
Affected Products:
Rockwell Automation ArmorStart LT 290D – <=V2.002
Rockwell Automation ArmorStart LT 291D – <=V2.002
Rockwell Automation ArmorStart LT 294D – <=V2.002
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Endpoint Denial of Service
Network Denial of Service
Denial of Service
Loss of Control
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Denial of Service Protection
Control ID: SC-5
NIST SP 800-53 – Boundary Protection
Control ID: SC-7
NIST SP 800-53 – Flaw Remediation
Control ID: SI-2
NIST SP 800-53 – System Monitoring
Control ID: SI-4
NIST SP 800-53 – Contingency Plan
Control ID: CP-2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical motor control vulnerabilities in ArmorStart LT devices create severe denial-of-service risks affecting production lines and manufacturing processes across automated facilities.
Automotive
Manufacturing operations dependent on Rockwell Automation motor starters face production disruption risks from network-accessible denial-of-service attacks on industrial control systems.
Oil/Energy/Solar/Greentech
Energy infrastructure using ArmorStart LT motor controls vulnerable to network-based attacks causing equipment reboots and operational downtime in critical power generation facilities.
Utilities
Power distribution and water treatment systems employing vulnerable motor control devices risk service interruption from remotely exploitable denial-of-service conditions affecting public infrastructure.
Sources
- Rockwell Automation ArmorStart LThttps://www.cisa.gov/news-events/ics-advisories/icsa-26-029-02Verified
- Rockwell Automation Security Advisory SD1768https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.htmlVerified
- NVD - CVE-2025-9464https://nvd.nist.gov/vuln/detail/CVE-2025-9464Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is relevant to this incident as it can limit the attacker's ability to exploit vulnerabilities in the ArmorStart® LT device by enforcing strict segmentation and identity-aware routing, thereby reducing the blast radius of such attacks.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Aviatrix Zero Trust CNSF would likely limit the attacker's ability to exploit the device by enforcing strict segmentation and identity-aware routing.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmentation.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's ability to move laterally by enforcing strict segmentation and identity-aware routing.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by providing continuous visibility and control across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by enforcing strict egress policies and monitoring outbound traffic.
Aviatrix Zero Trust CNSF would likely limit the impact of such attacks by enforcing strict segmentation and identity-aware routing, thereby reducing the blast radius of such attacks.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations
- Production Control Systems
Estimated downtime: 3 days
Estimated loss: $50,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement network segmentation to isolate critical devices and limit exposure to potential attacks.
- • Deploy intrusion prevention systems (IPS) to detect and block malicious traffic targeting known vulnerabilities.
- • Regularly update and patch devices to mitigate known vulnerabilities and reduce the attack surface.
- • Conduct thorough security assessments and penetration testing to identify and remediate potential weaknesses.
- • Establish comprehensive monitoring and logging to detect and respond to anomalous activities promptly.
