Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities (Update A)

Act Now9.8ICS-CERT ICSA-15-300-03AJul 30, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation Micrologix 1100 (Series A, B, versions ≤14.000) and Micrologix 1400 (Series A, B, versions ≤15.002) PLCs contain multiple memory corruption and code injection vulnerabilities (CWE-121, CWE-119, CWE-434, CWE-79, CWE-89). These flaws allow remote unauthenticated attackers to execute arbitrary code on the PLC. No firmware patches are planned by Rockwell Automation for these end-of-life products.

What this means

What could happen

An attacker could execute arbitrary code on Micrologix 1100 and 1400 PLCs, potentially altering process control logic, changing safety interlocks, or causing equipment shutdown. This affects any facility using these legacy controllers for critical manufacturing or utility operations.

Who's at risk

Manufacturing facilities and utilities using Rockwell Automation Micrologix 1100 or 1400 PLCs for critical process control, including packaging lines, pump stations, motor control, and safety logic. Any organization with these legacy controllers exposed to untrusted networks should prioritize mitigation.

How it could be exploited

An attacker with network access to the PLC could send specially crafted packets to trigger a buffer overflow or other memory corruption flaw (CWE-121, CWE-119). This would allow remote code execution without authentication, enabling the attacker to modify PLC memory and alter control logic or safety functions.

Prerequisites

Network access to the PLC (typically port 502 for Modbus TCP or engineering port)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableHigh EPSS score (10.0%)Affects industrial control logic

Exploitability

Moderate exploit probability (EPSS 10.0%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Micrologix 1100 PLC Series A, B: <=14.000≤ 14.000No fix (EOL)

Micrologix 1400 PLC Series A, B: <=15.002≤ 15.002No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to isolate Micrologix 1100/1400 PLCs from untrusted networks. Restrict access to port 502 and any engineering ports using firewall rules.

HARDENINGInstall inline protocol validation or intrusion detection on connections to these PLCs to monitor for exploitation attempts.

WORKAROUNDDisable remote access and engineering connections to the PLC unless absolutely necessary. Require in-person or VPN-based engineering sessions only.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Micrologix 1100 PLC Series A, B: <=14.000, Micrologix 1400 PLC Series A, B: <=15.002. Apply the following compensating controls:

HARDENINGEvaluate replacement of end-of-life Micrologix 1100/1400 systems with newer Rockwell Automation PLC platforms that receive security updates.

CVEs (5)

CVE-2015-6490 CVE-2015-6492 CVE-2015-6491 CVE-2015-6488 CVE-2015-6486

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/03a5df63-90f9-4140-b802-fb167f196c7c