Rockwell Automation ControlLogix PLC Vulnerabilities

Act NowICS-CERT ICSA-13-011-03Oct 15, 2013

Summary

Multiple Rockwell Automation PLC controllers and EtherNet/IP network adapters contain vulnerabilities in the EtherNet/IP protocol implementation. The EtherNet/IP protocol allows unauthenticated access to PLC control functions. An attacker with network access to these devices can read program logic, modify controller parameters, upload/download code, or trigger operational commands without providing credentials. Affected products include ControlLogix (all versions), CompactLogix (all versions), GuardLogix (all versions), SoftLogix (version 18 and earlier), MicroLogix 1100/1400 (all versions), and various EtherNet/IP network interface modules (ENBT, EWEB, AENTR). CWEs involved are CWE-284 (improper access control), CWE-200 (exposure of sensitive information), CWE-20 (improper input validation), and CWE-294 (authentication bypass).

What this means

What could happen

An attacker with network access to these Rockwell Automation controllers could execute unauthorized commands, alter logic program contents, or gather sensitive operational data without needing credentials. This could result in unintended process state changes, equipment damage, or production disruption.

Who's at risk

Manufacturing facilities operating Rockwell Automation PLC controllers (ControlLogix, CompactLogix, GuardLogix, SoftLogix, or MicroLogix series) connected via EtherNet/IP networks should assess this risk. This affects any factory, water treatment plant, power distribution system, or other industrial facility using these controllers for process control or safety functions.

How it could be exploited

An attacker on the same network as a ControlLogix, CompactLogix, GuardLogix, or MicroLogix PLC could send crafted EtherNet/IP packets to the controller on port 2222 (EtherNet/IP) or port 44818. The EtherNet/IP protocol does not require authentication by default, allowing the attacker to directly interact with the PLC to read/modify ladder logic, change setpoints, or stop/start operations without any credentials.

Prerequisites

Network access to EtherNet/IP port 2222 or 44818 on the PLC
Device must be reachable from the attacker's network segment (same subnet or routed)

remotely exploitableno authentication requiredlow complexityhigh EPSS score (13.4%)no patch availableaffects safety systems (GuardLogix)default network exposure (EtherNet/IP unencrypted)

Exploitability

High exploit probability (EPSS 13.4%)

Affected products (16)

1 pending15 EOL

ProductAffected VersionsFix Status

EtherNet/IP products that conform to the CIP and EtherNet/IP specifications: vers:all/*All versionsNo fix yet

1756-ENBT: vers:all/*All versionsNo fix (EOL)

1756-EWEB: vers:all/*All versionsNo fix (EOL)

1768-ENBT: vers:all/*All versionsNo fix (EOL)

1768-EWEB: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation: isolate PLC networks from corporate IT and untrusted networks using firewalls, VLANs, or industrial demilitarized zones (DMZ)

WORKAROUNDRestrict network access to EtherNet/IP ports (2222, 44818) from engineering workstations only; block inbound access from any other source using firewall rules

WORKAROUNDDisable EtherNet/IP if not required for operations; use serial or isolated communication instead

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: 1756-ENBT: vers:all/*, 1756-EWEB: vers:all/*, 1768-ENBT: vers:all/*, 1768-EWEB: vers:all/*, 1788-ENBT FLEXLogix adapter: vers:all/*, 1794-AENTR FLEX I/O EtherNet/IP adapter: vers:all/*, ControlLogix: vers:all/*, CompactLogix: vers:all/*, CompactLogix and SoftLogix controllers: <=19, GuardLogix: vers:all/*, SoftLogix: <=18, MicroLogix 1100: vers:all/*, MicroLogix 1400: vers:all/*, CompactLogix L32E and L35E controllers: vers:all/*, ControlLogix and GuardLogix controllers: <=20. Apply the following compensating controls:

HARDENINGMonitor EtherNet/IP traffic for unauthorized commands using network intrusion detection or packet inspection

HARDENINGImplement zero-trust network architecture for all industrial control systems: authenticate and authorize all connections to PLCs

CVEs (8)

CVE-2012-6439 CVE-2012-6442 CVE-2012-6435 CVE-2012-6441 CVE-2012-6438 CVE-2012-6436 CVE-2012-6440 CVE-2012-6437

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cd601578-576b-462c-97cc-a0eefe9e37ed