Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

MonitorCVSS 7.1ICS-CERT ICSA-19-113-01Apr 23, 2019

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A vulnerability in Rockwell Automation MicroLogix 1400 and CompactLogix 5370 controllers allows remote unauthenticated attackers to inject malicious links that could redirect users to malicious websites. The vulnerability affects MicroLogix 1400 Series A (all versions), MicroLogix 1400 Series B (v15.002 and earlier), MicroLogix 1100 (v14.00 and earlier), and CompactLogix 5370 L1/L2/L3 controllers (v30.014 and earlier, including CompactLogix GuardLogix variants). No patches are available from Rockwell Automation for any affected product line.

What this means

What could happen

An attacker could inject a malicious link into data accessed by plant operators or engineering staff, potentially redirecting them to a website hosting malware or stealing credentials. This could compromise operator workstations or facilitate further attacks on your control system network.

Who's at risk

Water utilities, electric utilities, wastewater treatment plants, and manufacturing facilities that operate Rockwell MicroLogix 1400 or CompactLogix 5370 controllers. These controllers are widely used for process control, pump/motor management, SCADA interfaces, and safety-critical logic. Any organization running these controller models should assess exposure, particularly if operator workstations or engineering interfaces can interact with the controllers over the network.

How it could be exploited

An attacker with network access to the controller can inject a malicious hyperlink into data displayed to users—such as in engineering interfaces, diagnostics screens, or status displays. When an operator or engineer clicks the link, they are redirected to an attacker-controlled website. This leverages user interaction to deliver secondary payloads or credential theft.

Prerequisites

Network access to the affected controller
User must click a malicious link presented by the controller's interface or data
Controller must be reachable from a network segment where operators or engineering staff access it

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects critical control system devices (PLCs/PACs used in manufacturing, water, electric utilities)

Exploitability

Some exploitation risk — EPSS score 3.0%

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

MicroLogix 1400 Controllers Series A: All VersionsAll versionsNo fix (EOL)

MicroLogix 1400 Controllers Series B: v15.002 and earlier≤ 15.002No fix (EOL)

MicroLogix 1100 Controllers: v14.00 and earlier≤ 14.00No fix (EOL)

CompactLogix 5370 L1 controllers: v30.014 and earlier≤ 30.014No fix (EOL)

CompactLogix 5370 L2 controllers: v30.014 and earlier≤ 30.014No fix (EOL)

CompactLogix 5370 L3 controllers: (includes CompactLogix GuardLogix controllers) v30.014 and earlier≤ 30.014No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDDisable or restrict user access to any web-based management or diagnostic interfaces on affected controllers if not operationally required

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HARDENINGRestrict network access to affected controllers to only authorized engineering workstations and administrative interfaces using host-based or network firewalls

HARDENINGImplement user awareness training focused on recognizing and avoiding malicious links and phishing attempts, especially targeting operators and engineering staff

HARDENINGEnsure all operator and engineering workstations have current anti-malware and endpoint protection tools deployed and updated

HARDENINGIf remote access to controllers is required, enforce use of VPN or other secure tunneling mechanisms and maintain VPN software at the latest patched version

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MicroLogix 1400 Controllers Series A: All Versions, MicroLogix 1400 Controllers Series B: v15.002 and earlier, MicroLogix 1100 Controllers: v14.00 and earlier, CompactLogix 5370 L1 controllers: v30.014 and earlier, CompactLogix 5370 L2 controllers: v30.014 and earlier, CompactLogix 5370 L3 controllers: (includes CompactLogix GuardLogix controllers) v30.014 and earlier. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate control system networks from business networks and the Internet using firewalls and air-gapping where possible

CVEs (1)

CVE-2019-10955

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bfa5c9fa-d5b2-44b2-874b-ab8972e243f7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.