Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400

Plan PatchCVSS 9.8ICS-CERT ICSA-17-115-04Apr 25, 2017

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation MicroLogix 1100 and 1400 controllers (models 1766-L32BXB, 1763-L16AWA, 1766-L32AWA, 1766-L32BXBA, 1766-L32BWA, 1763-L16BWA, 1763-L16DWD, 1763-L16BBB, 1766-L32AWAA, 1766-L32BWAA—Series A and B, all firmware versions <= 16.00) contain multiple authentication and data exposure flaws. An attacker with network access can connect to the PLC without credentials and read sensitive information (CWE-200, CWE-521), modify control parameters, or stop operations. The vulnerabilities stem from weak credential handling (CWE-307), lack of encryption (CWE-323), and improper security (CWE-343). Rockwell has not released patches and designates these products as end-of-life.

What this means

What could happen

An attacker with network access to these PLCs can read sensitive data, modify control logic or setpoints, and stop operations—potentially disrupting water flow control, pressure regulation, or electrical distribution systems.

Who's at risk

Water authorities and municipal utilities using Rockwell Automation MicroLogix 1100 or 1400 controllers for process control (e.g., pump stations, pressure regulation, filtration systems) are affected. Any facility relying on these PLCs for critical operations should be considered at risk, since no firmware fix is available.

How it could be exploited

An attacker on your network can connect directly to the PLC on its native Ethernet port and send unauthenticated commands to read memory, extract ladder logic, modify program parameters, or execute commands without providing valid credentials.

Prerequisites

Network access to Ethernet port on the PLC (typically port 502 or 2222)
No valid credentials required
Attacker must be able to reach the PLC IP address from network segment where it resides

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (end-of-life product)Affects critical control logicHigh CVSS score (9.8)

Exploitability

Some exploitation risk — EPSS score 3.5%

Affected products (10)

10 EOL

ProductAffected VersionsFix Status

1766-L32BXB Series A and B:≤ 16.00No fix (EOL)

1763-L16AWA Series A and B:≤ 16.00No fix (EOL)

1766-L32AWA Series A and B:≤ 16.00No fix (EOL)

1766-L32BXBA Series A and B:≤ 16.00No fix (EOL)

1766-L32BWA Series A and B:≤ 16.00No fix (EOL)

1763-L16BWA Series A and B:≤ 16.00No fix (EOL)

1763-L16DWD Series A and B:≤ 16.00No fix (EOL)

1763-L16BBB Series A and B:≤ 16.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate affected MicroLogix 1100 and 1400 controllers on a dedicated, air-gapped OT network segment with strict access controls

WORKAROUNDDeploy a firewall rule blocking all inbound connections to the PLC Ethernet port from the corporate network or any untrusted segment; allow only engineering workstation IPs that require access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network monitoring to detect unauthorized connection attempts to affected PLC ports

HARDENINGDocument all engineering workstations and applications that communicate with these PLCs; restrict network access to only those sources

CVEs (5)

CVE-2017-7901 CVE-2017-7902 CVE-2017-7899 CVE-2017-7898 CVE-2017-7903

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/645e0700-8cca-42e2-abfb-618188556d12

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.