Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers
Monitor7.1ICS-CERT ICSA-19-113-01Apr 23, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A vulnerability in Rockwell Automation MicroLogix 1400 and CompactLogix 5370 controllers allows remote unauthenticated attackers to inject malicious links that could redirect users to malicious websites. The vulnerability affects MicroLogix 1400 Series A (all versions), MicroLogix 1400 Series B (v15.002 and earlier), MicroLogix 1100 (v14.00 and earlier), and CompactLogix 5370 L1/L2/L3 controllers (v30.014 and earlier, including CompactLogix GuardLogix variants). No patches are available from Rockwell Automation for any affected product line.
What this means
What could happen
An attacker could inject a malicious link into data accessed by plant operators or engineering staff, potentially redirecting them to a website hosting malware or stealing credentials. This could compromise operator workstations or facilitate further attacks on your control system network.
Who's at risk
Water utilities, electric utilities, wastewater treatment plants, and manufacturing facilities that operate Rockwell MicroLogix 1400 or CompactLogix 5370 controllers. These controllers are widely used for process control, pump/motor management, SCADA interfaces, and safety-critical logic. Any organization running these controller models should assess exposure, particularly if operator workstations or engineering interfaces can interact with the controllers over the network.
How it could be exploited
An attacker with network access to the controller can inject a malicious hyperlink into data displayed to users—such as in engineering interfaces, diagnostics screens, or status displays. When an operator or engineer clicks the link, they are redirected to an attacker-controlled website. This leverages user interaction to deliver secondary payloads or credential theft.
Prerequisites
- Network access to the affected controller
- User must click a malicious link presented by the controller's interface or data
- Controller must be reachable from a network segment where operators or engineering staff access it
Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects critical control system devices (PLCs/PACs used in manufacturing, water, electric utilities)
Exploitability
Moderate exploit probability (EPSS 3.0%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
MicroLogix 1400 Controllers Series A: All VersionsAll versionsNo fix (EOL)
MicroLogix 1400 Controllers Series B: v15.002 and earlier≤ 15.002No fix (EOL)
MicroLogix 1100 Controllers: v14.00 and earlier≤ 14.00No fix (EOL)
CompactLogix 5370 L1 controllers: v30.014 and earlier≤ 30.014No fix (EOL)
CompactLogix 5370 L2 controllers: v30.014 and earlier≤ 30.014No fix (EOL)
CompactLogix 5370 L3 controllers: (includes CompactLogix GuardLogix controllers) v30.014 and earlier≤ 30.014No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDDisable or restrict user access to any web-based management or diagnostic interfaces on affected controllers if not operationally required
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HARDENINGRestrict network access to affected controllers to only authorized engineering workstations and administrative interfaces using host-based or network firewalls
HARDENINGImplement user awareness training focused on recognizing and avoiding malicious links and phishing attempts, especially targeting operators and engineering staff
HARDENINGEnsure all operator and engineering workstations have current anti-malware and endpoint protection tools deployed and updated
HARDENINGIf remote access to controllers is required, enforce use of VPN or other secure tunneling mechanisms and maintain VPN software at the latest patched version
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: MicroLogix 1400 Controllers Series A: All Versions, MicroLogix 1400 Controllers Series B: v15.002 and earlier, MicroLogix 1100 Controllers: v14.00 and earlier, CompactLogix 5370 L1 controllers: v30.014 and earlier, CompactLogix 5370 L2 controllers: v30.014 and earlier, CompactLogix 5370 L3 controllers: (includes CompactLogix GuardLogix controllers) v30.014 and earlier. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate control system networks from business networks and the Internet using firewalls and air-gapping where possible
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bfa5c9fa-d5b2-44b2-874b-ab8972e243f7