Rockwell Automation PowerFlex 525 AC Drives

Monitor7.5ICS-CERT ICSA-19-087-01Mar 28, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The PowerFlex 525 AC Drives with embedded EtherNet/IP and Safety contain a vulnerability in the handling of CIP (Common Industrial Protocol) messages that can lead to resource exhaustion, memory corruption, and denial of service. A remote attacker without authentication can send malformed messages to the drive over the network, causing the firmware to exhaust memory or processing resources, resulting in the drive stopping response to legitimate commands. The vulnerability exists in firmware versions 5.001 and earlier.

What this means

What could happen

An attacker could flood the PowerFlex 525 drive with malformed messages over EtherNet/IP, exhausting its memory or processing resources and causing the drive to stop responding. This would halt the motor or machine the drive controls until it is manually reset or rebooted.

Who's at risk

Energy sector operators running PowerFlex 525 AC Drives with embedded EtherNet/IP and Safety capabilities should be aware of this vulnerability. This includes facility managers and engineers responsible for motors, pumps, compressors, and other critical equipment driven by these variable frequency drives in power generation, water treatment, oil/gas, and other energy infrastructure.

How it could be exploited

An attacker with network access to port 2222 or 44818 (EtherNet/IP/CIP protocol ports) can send specially crafted messages to the drive. No authentication is required. The messages trigger resource exhaustion in the drive's firmware, leading to denial of service.

Prerequisites

Network access to PowerFlex 525 drive on TCP or UDP port 2222 or 44818
No credentials or authentication required
The drive must be reachable from the attacker's network segment (e.g., not behind a properly configured firewall)

Remotely exploitableNo authentication requiredLow complexityAffects critical motor control equipmentDenial of service / operational stoppage

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

PowerFlex 525 AC Drives with embedded EtherNet/IP and Safety:≤ 5.001No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDBlock or restrict inbound traffic to TCP and UDP ports 2222 and 44818 (EtherNet/IP/CIP) at the firewall, allowing only known authorized engineering workstations or control system subnets

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXDownload and install the latest firmware version for PowerFlex 525 AC Drives from Rockwell Automation (available at https://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=25B&crumb=112)

HARDENINGIf applicable, consult the PowerFlex 525 product documentation for hardware key-switch settings or other features that can restrict unauthorized configuration changes

Long-term hardening

0/2

HARDENINGSegment the manufacturing/control network so that PowerFlex drives are not directly accessible from the business network or the Internet

HARDENINGLimit network exposure of all control system devices and ensure they are not routable from the Internet or untrusted business networks

CVEs (1)

CVE-2018-19282

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/88c57edb-bc7d-4697-8375-0037de61b60e