Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability
Act Now7.3ICS-CERT ICSA-16-224-01May 15, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
MicroLogix 1400 controllers store SNMP credentials in cleartext, allowing an attacker with network access to the device to read sensitive configuration data. This affects all firmware versions of the MicroLogix 1400 series (1766-L32 variants). The vulnerability exists because SNMP community strings and other credentials are not encrypted in the device's configuration memory.
What this means
What could happen
An attacker with network access to a MicroLogix 1400 device could extract SNMP credentials from the device, potentially gaining read or read-write access to the controller and enabling manipulation of logic, setpoints, or monitoring capabilities. This could disrupt water treatment, electrical distribution, or other critical processes.
Who's at risk
Water treatment operators, electrical utilities, and any facility using Rockwell Automation MicroLogix 1400 PLCs for process control should be concerned. These controllers are commonly used in pump stations, water quality monitoring systems, and electrical distribution automation where SNMP-based remote monitoring is deployed.
How it could be exploited
An attacker on the network sends SNMP queries or accesses the device's memory configuration through standard network protocols. If SNMP is enabled and configured with weak or default credentials, the attacker can extract the plaintext SNMP community strings stored in the device and use them to query or reconfigure the controller's behavior.
Prerequisites
- Network access to the MicroLogix 1400 device on TCP/UDP ports for SNMP (typically 161/162)
- SNMP agent must be enabled on the target device
- Physical access to device memory or SNMP-based configuration access to extract credentials
Remotely exploitableNo authentication required for network access to memoryNo patch available from vendorHigh EPSS score (30.3%)Affects industrial control logicDefault or weak SNMP credentials common in OT environments
Exploitability
High exploit probability (EPSS 30.3%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
1766-L32BWA: vers:all/*All versionsNo fix (EOL)
1766-L32AWA: vers:all/*All versionsNo fix (EOL)
1766-L32BXB: vers:all/*All versionsNo fix (EOL)
1766-L32AWAA: vers:all/*All versionsNo fix (EOL)
1766-L32BXBA: vers:all/*All versionsNo fix (EOL)
1766-L32BWAA: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDDisable SNMP on MicroLogix 1400 devices unless actively required for network monitoring
HARDENINGImplement network segmentation to restrict network access to MicroLogix devices; place them on isolated VLANs or behind firewalls with rules allowing only necessary engineering and monitoring traffic
HARDENINGIf SNMP must remain enabled, configure strong community strings (avoid defaults like 'public' and 'private') and restrict SNMP access to known management stations using firewall rules or device ACLs
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to and from MicroLogix devices for unauthorized SNMP queries or credential extraction attempts
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: 1766-L32BWA: vers:all/*, 1766-L32AWA: vers:all/*, 1766-L32BXB: vers:all/*, 1766-L32AWAA: vers:all/*, 1766-L32BXBA: vers:all/*, 1766-L32BWAA: vers:all/*. Apply the following compensating controls:
HARDENINGPlan long-term replacement or upgrade of MicroLogix 1400 controllers with newer firmware-updateable models that support encrypted credential storage
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6b5511e4-6833-4658-865d-28b4b2c6fe86