Rockwell Automation Logix Controllers (Update A)

Act Now10ICS-CERT ICSA-21-056-03Feb 25, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Rockwell Automation Logix controllers allows remote, unauthenticated attackers to bypass the verification mechanism and connect directly to controllers over EtherNet/IP (TCP port 44818). Once connected, an attacker can alter the controller's configuration, application code, or ladder logic without any credentials. The vulnerability affects all Logix controller types and firmware versions, including ControlLogix 5580/5570/5560/5550, GuardLogix 5580/5570/5560, CompactLogix 5370/1768/1769, RSLogix 5000, Studio 5000 Logix Designer, and FactoryTalk Security v2.10 and later. Rockwell Automation has determined that this vulnerability cannot be patched and recommends a defense-in-depth strategy combining network segmentation, firewall rules, CIP Security encryption, and operational controls.

What this means

What could happen

An attacker on your network can connect directly to Logix controllers without authentication and modify control logic, setpoints, or application code, potentially disrupting manufacturing operations or safety systems. This affects all Logix controller types across firmware versions.

Who's at risk

Water and electric utilities rely on Logix controllers for SCADA systems, pump control, power distribution automation, and safety-critical functions. This affects all Logix controller families: ControlLogix 5580/5570/5560/5550, GuardLogix 5580/5570/5560, CompactLogix 5370/1768/1769, and design software (RSLogix 5000, Studio 5000 Logix Designer). Any site running these controllers without network segmentation is at risk.

How it could be exploited

An attacker sends a connection request to port 44818 (EtherNet/IP) on a Logix controller. The verification mechanism that checks if the connection is authorized is bypassed. Once connected, the attacker can upload malicious ladder logic or alter running programs without needing engineering credentials or factory password.

Prerequisites

Network access to port 44818 on the Logix controller
Controller must be reachable from the attacker's network segment
No authentication or credentials required

Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)High EPSS score (16.3%)No patch availableAffects safety systems (GuardLogix)All Logix controller versions in use are vulnerable

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (3)

1 pending2 EOL

ProductAffected VersionsFix Status

FactoryTalk Security part of the FactoryTalk Services Platform if configured and deployed: v2.10 and later≥ 2.10No fix yet

RSLogix 5000:16 ≤ 20No fix (EOL)

Studio 5000 Logix Designer:≥ 21No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate all Logix controllers from the enterprise network. Place them behind a firewall and in a separate industrial control system network zone.

WORKAROUNDBlock or restrict all inbound traffic to TCP port 44818 at the firewall, allowing only traffic from authorized engineering workstations or remote access gateways within the ICS network zone.

WORKAROUNDFor ControlLogix 5580 v32 or later: Move the controller's mode switch to 'Run' mode to disable remote configuration.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGFor ControlLogix 5580 v31 or earlier and all other Logix controllers: Deploy the 1756-EN4TR Ethernet/IP module with CIP Security enabled to encrypt and authenticate connections.

HARDENINGEnable CIP Security (TLS/DTLS encryption and certificate-based authentication) on all controllers and engineering workstations that support it, following the Rockwell Automation CIP Security deployment reference guide.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: RSLogix 5000:, Studio 5000 Logix Designer:. Apply the following compensating controls:

HARDENINGIf remote access is required, use a VPN to encrypted connections to your engineering network, and ensure the VPN itself is kept up to date with the latest security patches.

CVEs (1)

CVE-2021-22681

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e81653c8-57ca-4cb9-b97a-dede469b7187