Rockwell Automation Logix Controllers
Monitor6.8ICS-CERT ICSA-22-144-01May 24, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The Rockwell Automation Logix controller family (CompactLogix 5370/5380/5480, ControlLogix 5570/5580, GuardLogix 5570/5580, and Compact GuardLogix 5370/5380) contains a vulnerability in message handling that allows an attacker to send specially crafted Ethernet/IP messages without authentication. Successful exploitation causes a denial-of-service condition, rendering the controller unresponsive until it is manually rebooted. The vulnerability affects firmware versions 33.013 and earlier (5370/GuardLogix 5570 models) and 32.013 and earlier (other models).
What this means
What could happen
An attacker could send specially crafted messages to your Logix controllers and cause them to stop responding (denial of service). This would halt production, pump operations, or generator controls until the device is rebooted.
Who's at risk
This affects municipal utilities and water authorities using Rockwell Automation CompactLogix, ControlLogix, GuardLogix, or Compact GuardLogix series 5370, 5380, 5480, 5570, and 5580 controllers. These devices typically manage pump stations, water treatment processes, electrical distribution, and safety-critical operations. Any facility relying on these PLCs for continuous process control is at risk.
How it could be exploited
An attacker with network access to the Logix controller (typically on the control network or via compromised engineering workstation) sends malicious Ethernet/IP messages that trigger a resource exhaustion condition in the controller. The device becomes unresponsive to normal commands.
Prerequisites
- Network access to port 2222 (EtherNet/IP) on the controller
- No authentication required—messages are processed by the device without credentials
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems (GuardLogix models)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (9)
9 EOL
ProductAffected VersionsFix Status
Compact GuardLogix 5370 controllers: firmware≤ 33.013No fix (EOL)
Compact GuardLogix 5380 controllers: firmware≤ 32.013No fix (EOL)
CompactLogix 5370 controllers: firmware≤ 33.013No fix (EOL)
CompactLogix 5380 controllers: firmware≤ 32.013No fix (EOL)
CompactLogix 5480 controllers: firmware≤ 32.013No fix (EOL)
ControlLogix 5570 controllers: firmware≤ 33.013No fix (EOL)
GuardLogix 5570 controllers: firmware≤ 33.013No fix (EOL)
GuardLogix 5580 controllers: firmware≤ 32.013No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGSegment your control network: isolate Logix controllers on a separate VLAN or subnet with firewall rules that restrict inbound traffic to only engineering workstations and authorized devices. Block EtherNet/IP (port 2222) from untrusted networks.
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGImplement network-level monitoring for unusual EtherNet/IP traffic patterns to your controllers. Alert on excessive or malformed messages that could indicate exploitation attempts.
WORKAROUNDDocument a reboot procedure for affected controllers and ensure operators know how to safely restart devices in case of a DoS event. Test the procedure in a non-critical device first.
Long-term hardening
0/1HOTFIXMonitor Rockwell Automation's security bulletins for firmware patches. This vulnerability currently has no fix, but a patch may be released in the future.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ea3f81a4-051e-4e80-bc65-3014e783c91b