Rockwell Automation GuardLogix 5380 and 5580 (Update A)
Monitor6.5ICS-CERT ICSA-25-035-02Feb 4, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Rockwell Automation GuardLogix 5580 and Compact GuardLogix 5380 SIL 3 safety controllers allows a remote, non-privileged user to send malicious requests that trigger a major nonrecoverable fault. When exploited, the controller enters a denial-of-service state and cannot execute safety logic or normal operations. The vulnerability affects multiple firmware versions (V33.x, V34.x, V35.x, V36.x) across both product lines. Rockwell Automation has stated that no fix is currently available for this vulnerability.
What this means
What could happen
An attacker with network access to a GuardLogix controller could trigger a major nonrecoverable fault that stops the device and blocks normal safety operations, denying service to automated processes that rely on the PLC.
Who's at risk
Water utilities and municipal electric facilities operating GuardLogix 5580 and Compact GuardLogix 5380 SIL 3 safety PLCs in automated control systems. This impacts any organization using these controllers for safety-critical functions such as pressure relief, emergency shutdown, or process interlocks.
How it could be exploited
An attacker sends a specially crafted request over the network to the GuardLogix controller. The request targets the task object via CIP protocol. If the controller receives the request from a non-privileged user, it processes the malicious request and enters a major nonrecoverable fault state, becoming unavailable.
Prerequisites
- Network access to the GuardLogix controller on the CIP protocol port (typically port 2222 for EtherNet/IP)
- No authentication required
- Ability to send crafted CIP requests to the task object
remotely exploitableno authentication requiredlow complexityaffects safety systemsno patch available
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
GuardLogix 5580 (SIL 3 with the safety partner 3): <V34.014<V34.014No fix (EOL)
GuardLogix 5580 (SIL 3 with the safety partner 3): <V35.013<V35.013No fix (EOL)
GuardLogix 5580 (SIL 3 with the safety partner 3): <V36.011<V36.011No fix (EOL)
GuardLogix 5580 (SIL 3 with the safety partner 3): <V33.017<V33.017No fix (EOL)
Compact GuardLogix 5380 SIL 3: <V33.017<V33.017No fix (EOL)
Compact GuardLogix 5380 SIL 3: <V34.014<V34.014No fix (EOL)
Compact GuardLogix 5380 SIL 3: <V35.013<V35.013No fix (EOL)
Compact GuardLogix 5380 SIL 3: <V36.011<V36.011No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDRestrict access to the task object via CIP Security and Hard Run features to block non-privileged users from sending requests to this object
HARDENINGPlace the GuardLogix controller behind a firewall to isolate it from business networks and the Internet
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXMonitor for and review Rockwell Automation security advisories for patched firmware versions once they are released
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: GuardLogix 5580 (SIL 3 with the safety partner 3): <V34.014, GuardLogix 5580 (SIL 3 with the safety partner 3): <V35.013, GuardLogix 5580 (SIL 3 with the safety partner 3): <V36.011, GuardLogix 5580 (SIL 3 with the safety partner 3): <V33.017, Compact GuardLogix 5380 SIL 3: <V33.017, Compact GuardLogix 5380 SIL 3: <V34.014, Compact GuardLogix 5380 SIL 3: <V35.013, Compact GuardLogix 5380 SIL 3: <V36.011. Apply the following compensating controls:
HARDENINGImplement network segmentation so the control system is not directly accessible from the business network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f086293f-231a-4f0b-8a6f-ca0defe0379d