OTPulse
FeedAboutContact

Rockwell Automation Micro800 and MicroLogix 1400

Monitor6.1ICS-CERT ICSA-21-145-02May 25, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

A vulnerability in Rockwell Automation Micro800 and MicroLogix 1400 controllers allows an unauthorized user on the same network to reset the controller's password through a specific attack sequence. The vulnerability requires user interaction and high attack complexity. Successful exploitation results in denial-of-service conditions that may require a firmware flash to recover, which will erase the user program and data.

What this means
What could happen
An attacker on your plant network could reset the controller password and cause the PLC to stop responding, forcing a firmware reload that erases your programs and real-time data. Recovery requires manual intervention and process downtime.
Who's at risk
Micro800 and MicroLogix 1400 controllers used in water/wastewater treatment, power distribution, manufacturing, and any facility with Allen-Bradley small PLCs controlling critical processes. Any organization running these controllers without network segmentation is at risk.
How it could be exploited
An attacker must be on the same network as the Micro800 or MicroLogix 1400 controller. They execute a specific attack sequence (high complexity) that requires user interaction to trigger, which resets the device password and causes a denial-of-service condition. The attacker would likely need to interact with the device or observe legitimate user activity to complete the exploit.
Prerequisites
  • Network access to the same subnet/VLAN as the controller
  • User interaction or specific timing condition required
  • Knowledge of the attack sequence (complexity: high)
remotely exploitableno authentication requiredno patch availableaffects control operations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
MicroLogix 1400:≥ 21No fix (EOL)
Micro800: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDEnsure backup copies of current PLC programs and data are maintained off-site in case firmware recovery is needed
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGChange the default controller password in a trusted/air-gapped environment before deploying to production
HARDENINGMonitor for and document the serial numbers and firmware versions of all Micro800 and MicroLogix 1400 controllers in your facility to track which devices lack patches
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: MicroLogix 1400:, Micro800: All versions. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate control system devices from business networks using firewalls and VLANs
HARDENINGRestrict network access to Micro800 and MicroLogix 1400 controllers to only authorized engineering workstations and HMI systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3b53340e-9386-4f76-b806-e37bfbba5bd7
Rockwell Automation Micro800 and MicroLogix 1400 | CVSS 6.1 - OTPulse