Rockwell Automation GuardLogix 5380 and 5580 (Update A)

MonitorCVSS 6.5ICS-CERT ICSA-25-035-02Feb 4, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation GuardLogix 5380 and 5580 safety controllers contain a vulnerability allowing a remote, non-privileged user to send malicious CIP requests that cause a major nonrecoverable fault and denial-of-service condition. Affected versions include V33.017, V34.014, V35.013, and V36.011 for both controller models with SIL 3 safety partner 3 configuration. The vulnerability has a CVSS score of 6.5 (medium severity) and does not require authentication if CIP Security is not enabled. No patch is currently available from the vendor.

What this means

What could happen

A remote attacker with network access to a GuardLogix controller could trigger a denial-of-service condition that forces the controller into a major fault state, stopping industrial processes until manual recovery is performed. This affects safety-critical systems designed for SIL 3 operation, potentially disabling critical safety functions.

Who's at risk

Water utilities and electrical utilities operating Rockwell Automation GuardLogix safety controllers should be concerned. These controllers are used in critical safety systems for water treatment, electrical distribution, and industrial processes. Compact GuardLogix 5380 and GuardLogix 5580 controllers configured for SIL 3 (Safety Integrity Level 3) operation are affected, as are associated safety partner modules.

How it could be exploited

An attacker with network access sends malicious CIP (Common Industrial Protocol) requests targeting the task object on an affected GuardLogix controller. The malicious request causes the controller to enter a major nonrecoverable fault state, halting execution of the safety logic and industrial processes it controls.

Prerequisites

Network access to CIP port (2222 default) on the GuardLogix controller
No credentials required to send CIP requests if CIP Security is not enabled

Remotely exploitable via CIP protocolNo authentication required without CIP Security enabledAffects safety-critical systems (SIL 3)No vendor patch availableCauses denial-of-service on critical safety controller

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

GuardLogix 5580 (SIL 3 with the safety partner 3): <V34.014<V34.014No fix (EOL)

GuardLogix 5580 (SIL 3 with the safety partner 3): <V35.013<V35.013No fix (EOL)

GuardLogix 5580 (SIL 3 with the safety partner 3): <V36.011<V36.011No fix (EOL)

GuardLogix 5580 (SIL 3 with the safety partner 3): <V33.017<V33.017No fix (EOL)

Compact GuardLogix 5380 SIL 3: <V33.017<V33.017No fix (EOL)

Compact GuardLogix 5380 SIL 3: <V34.014<V34.014No fix (EOL)

Compact GuardLogix 5380 SIL 3: <V35.013<V35.013No fix (EOL)

Compact GuardLogix 5380 SIL 3: <V36.011<V36.011No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIf available, enable CIP Security on the GuardLogix task object to restrict which devices can send CIP requests

HARDENINGEnable Hard Run mode on GuardLogix controllers to prevent remote modification of controller mode via CIP

HARDENINGRestrict network access to CIP port (2222) and other GuardLogix management ports from untrusted network segments using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf safe to do so within your maintenance window, upgrade to the latest available firmware version for your GuardLogix controller

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: GuardLogix 5580 (SIL 3 with the safety partner 3): <V34.014, GuardLogix 5580 (SIL 3 with the safety partner 3): <V35.013, GuardLogix 5580 (SIL 3 with the safety partner 3): <V36.011, GuardLogix 5580 (SIL 3 with the safety partner 3): <V33.017, Compact GuardLogix 5380 SIL 3: <V33.017, Compact GuardLogix 5380 SIL 3: <V34.014, Compact GuardLogix 5380 SIL 3: <V35.013, Compact GuardLogix 5380 SIL 3: <V36.011. Apply the following compensating controls:

HARDENINGIsolate GuardLogix controllers from the business network using a separate industrial network segment with controlled access

CVEs (1)

CVE-2025-24478

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f086293f-231a-4f0b-8a6f-ca0defe0379d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.