Rockwell Automation Logix Controllers
Plan Patch8.4ICS-CERT ICSA-24-214-09Aug 1, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
Rockwell Automation Logix controllers contain a vulnerability allowing authenticated attackers to execute arbitrary CIP (Common Industrial Protocol) programming and configuration commands. This could permit modification of process logic, alteration of setpoints, or disabling of safety functions on affected ControlLogix 5580, GuardLogix 5580, and 1756-EN series network adapter modules. The vulnerability requires valid engineering credentials and network access to the controller. Several older hardware series (A versions) have no patch available and require hardware upgrade to Series D.
What this means
What could happen
An attacker with valid controller credentials and network access could execute arbitrary CIP programming and configuration commands on affected Logix controllers, potentially altering process setpoints, disabling safety functions, or stopping production.
Who's at risk
Water utilities and electric utilities operating Logix-based process control systems, particularly those using ControlLogix 5580 (1756-L8z), GuardLogix 5580 (1756-L8zS), or 1756-EN series network adapters. Any facility relying on these controllers for water treatment, distribution, wastewater operations, or power generation/distribution should assess their equipment inventory.
How it could be exploited
An attacker with legitimate engineering credentials gains network access to a Logix controller and sends CIP (Common Industrial Protocol) commands that bypass intended restrictions. The attacker can then modify PLC logic, alter process parameters, or disable safety interlocks without proper authorization checks.
Prerequisites
- Valid engineering workstation credentials (username/password or certificate)
- Network access to the Logix controller on port 2222 (default EtherNet/IP) or configured CIP port
- Controller not in RUN mode (mode switch in RUN position blocks CIP commands)
Remotely exploitable (network access)Requires valid credentialsMedium complexity exploitationNo patch available for Series A hardware variantsAffects industrial control logic and safety systemsHigh CVSS score (8.4)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (16)
3 with fix13 pending
ProductAffected VersionsFix Status
ControlLogix 5580 (1756-L8z): V28V28V32.016, V33.015, V34.014, V35.011 and later
GuardLogix 5580 (1756-L8zS): V31V31V32.016, V33.015, V34.014, V35.011 and later
1756-EN4TR: V2V2V5.001 and later
1756-EN2T, Series A/B/C (unsigned version): v5.007v5.007No fix yet
1756-EN2F, Series A/B (unsigned version): v5.007v5.007No fix yet
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDSet the mode switch on all Logix controllers to RUN position to prevent CIP programming and configuration commands
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
ControlLogix 5580 (1756-L8z): V28
HOTFIXUpdate ControlLogix 5580 (1756-L8z) to firmware version V32.016, V33.015, V34.014, V35.011 or later
HOTFIXUpdate GuardLogix 5580 (1756-L8zS) to firmware version V32.016, V33.015, V34.014, V35.011 or later
All products
HOTFIXUpdate 1756-EN4TR network adapter to firmware version V5.001 or later
HOTFIXUpdate 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A to firmware version V12.001 or later
HOTFIXFor 1756-EN2T/EN2F/EN2TR/EN3TR Series A products: upgrade to Series D hardware to obtain patched firmware
Long-term hardening
0/3HARDENINGImplement network segmentation to isolate Logix controllers from business networks and internet exposure
HARDENINGDeploy firewall rules to restrict network access to Logix controllers, allowing only authorized engineering workstations
HARDENINGFor remote access scenarios, implement VPN with current security patches and restrict to minimal necessary personnel
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4ac69348-146d-4e10-a8f6-161cb92e10f5