OTPulse
FeedAboutContact

Rockwell Automation MicroLogix 1400 (Update A)

Plan Patch8.1ICS-CERT ICSA-21-033-01Feb 2, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

MicroLogix 1400 controllers with Modbus TCP enabled are vulnerable to a denial-of-service attack via CWE-120 (buffer overflow). All series versions 21.6 and earlier are affected. Successful exploitation causes the controller to stop responding, interrupting process operations.

What this means
What could happen
An attacker with network access to the controller could crash it, causing a denial of service and halting the controlled process until manual intervention restarts the device.
Who's at risk
Water utilities and municipalities using Rockwell Automation MicroLogix 1400 controllers for pump control, tank level monitoring, or other critical processes should prioritize this. Any facility relying on Modbus TCP communication to these controllers is at risk of unplanned shutdowns.
How it could be exploited
An attacker must send a specially crafted Modbus TCP packet to port 502 (or the configured Modbus TCP port) on the MicroLogix 1400. This triggers a buffer overflow condition that crashes the controller. The attack requires network reachability to the controller but no authentication.
Prerequisites
  • Network access to Modbus TCP port on the controller (typically port 502)
  • Modbus TCP support enabled on the MicroLogix 1400
  • No authentication required
remotely exploitableno authentication requiredno patch availableaffects PLCs/automation controllersdenial of service impact
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (1)
ProductAffected VersionsFix Status
MicroLogix 1400 All series:≤ 21.6No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable Modbus TCP support on the MicroLogix 1400 if not required for operations
HARDENINGBlock Modbus TCP traffic (port 502) to the controller using firewall rules or network segmentation
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the MicroLogix 1400 network from the business network and the Internet using network segmentation and firewalls
HARDENINGMonitor for suspicious Modbus TCP traffic targeting port 502
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/31776e74-b29b-4e2f-8c44-c23aa414129e