Rockwell Automation Logix Controllers

MonitorCVSS 6.8ICS-CERT ICSA-22-144-01May 24, 2022

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The Rockwell Automation Logix controller family (CompactLogix 5370/5380/5480, ControlLogix 5570/5580, GuardLogix 5570/5580, and Compact GuardLogix 5370/5380) contains a vulnerability in message handling that allows an attacker to send specially crafted Ethernet/IP messages without authentication. Successful exploitation causes a denial-of-service condition, rendering the controller unresponsive until it is manually rebooted. The vulnerability affects firmware versions 33.013 and earlier (5370/GuardLogix 5570 models) and 32.013 and earlier (other models).

What this means

What could happen

An attacker could send specially crafted messages to your Logix controllers and cause them to stop responding (denial of service). This would halt production, pump operations, or generator controls until the device is rebooted.

Who's at risk

This affects municipal utilities and water authorities using Rockwell Automation CompactLogix, ControlLogix, GuardLogix, or Compact GuardLogix series 5370, 5380, 5480, 5570, and 5580 controllers. These devices typically manage pump stations, water treatment processes, electrical distribution, and safety-critical operations. Any facility relying on these PLCs for continuous process control is at risk.

How it could be exploited

An attacker with network access to the Logix controller (typically on the control network or via compromised engineering workstation) sends malicious Ethernet/IP messages that trigger a resource exhaustion condition in the controller. The device becomes unresponsive to normal commands.

Prerequisites

Network access to port 2222 (EtherNet/IP) on the controller
No authentication required—messages are processed by the device without credentials

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems (GuardLogix models)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (9)

9 EOL

ProductAffected VersionsFix Status

Compact GuardLogix 5370 controllers: firmware≤ 33.013No fix (EOL)

Compact GuardLogix 5380 controllers: firmware≤ 32.013No fix (EOL)

CompactLogix 5370 controllers: firmware≤ 33.013No fix (EOL)

CompactLogix 5380 controllers: firmware≤ 32.013No fix (EOL)

CompactLogix 5480 controllers: firmware≤ 32.013No fix (EOL)

ControlLogix 5570 controllers: firmware≤ 33.013No fix (EOL)

GuardLogix 5570 controllers: firmware≤ 33.013No fix (EOL)

GuardLogix 5580 controllers: firmware≤ 32.013No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGSegment your control network: isolate Logix controllers on a separate VLAN or subnet with firewall rules that restrict inbound traffic to only engineering workstations and authorized devices. Block EtherNet/IP (port 2222) from untrusted networks.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network-level monitoring for unusual EtherNet/IP traffic patterns to your controllers. Alert on excessive or malformed messages that could indicate exploitation attempts.

WORKAROUNDDocument a reboot procedure for affected controllers and ensure operators know how to safely restart devices in case of a DoS event. Test the procedure in a non-critical device first.

Long-term hardening

0/1

HOTFIXMonitor Rockwell Automation's security bulletins for firmware patches. This vulnerability currently has no fix, but a patch may be released in the future.

CVEs (1)

CVE-2022-1797

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea3f81a4-051e-4e80-bc65-3014e783c91b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.