Rockwell Automation Micro800

Act Now9.8ICS-CERT ICSA-25-226-25Aug 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation Micro800 series PLCs contain vulnerabilities in input validation and state management (CWE-1395, CWE-20) that could allow remote code execution or privilege escalation. Affected models include Micro820 LC20 (all versions below V14.011), Micro850 LC50 (all versions below V12.013), Micro870 LC70 (all versions below V12.013), Micro850 L50E (V20.011 through V22.011), and Micro870 L70E (V20.011 through V22.011).

What this means

What could happen

An attacker with network access to a vulnerable Micro800 PLC could execute arbitrary code or gain elevated privileges on the controller, potentially allowing them to modify process logic, alter setpoints, or disrupt manufacturing operations.

Who's at risk

Manufacturing facilities using Rockwell Automation Micro800 series PLCs (Micro820, Micro850, Micro870) for process control should be concerned. These compact PLCs are commonly used in packaging, material handling, assembly automation, and discrete manufacturing processes.

How it could be exploited

An attacker on the network sends a crafted message to the Micro800 PLC that bypasses input validation checks. This allows the attacker to execute code or escalate privileges on the controller without authentication, potentially through the native Rockwell protocol or industrial Ethernet interface.

Prerequisites

Network access to the PLC on its industrial Ethernet port
No authentication credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch available for legacy models

Exploitability

Moderate exploit probability (EPSS 5.0%)

Affected products (5)

2 with fix3 EOL

ProductAffected VersionsFix Status

PLC Micro820 LC20: <V14.011<V14.011No fix (EOL)

PLC Micro850 LC50: <V12.013<V12.013No fix (EOL)

PLC Micro870 LC70: <V12.013<V12.013No fix (EOL)

PLC Micro850 L50E: >=V20.011|<=V22.011≥ V20.011|≤ V22.011V23.011

PLC Micro870 L70E: >=V20.011|<=V22.011≥ V20.011|≤ V22.011V23.011

Remediation & Mitigation

0/8

Do now

0/2

HARDENINGEnsure PLCs are not directly accessible from the internet; place them behind firewalls and isolate industrial control networks from business networks

WORKAROUNDIf remote access to PLCs is required, require all connections through a VPN and ensure VPN software is up to date

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXMigrate Micro820 LC20 controllers to Micro820 L20E V23.011 or later when released (target September 2025)

HOTFIXMigrate Micro850 LC50 controllers to Micro850 L50E V23.011 or later

HOTFIXMigrate Micro870 LC70 controllers to Micro870 L70E V23.011 or later

HOTFIXUpdate Micro850 L50E controllers to V23.011 or later

HOTFIXUpdate Micro870 L70E controllers to V23.011 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PLC Micro820 LC20: <V14.011, PLC Micro850 LC50: <V12.013, PLC Micro870 LC70: <V12.013. Apply the following compensating controls:

HARDENINGReview and implement Rockwell Automation Security Best Practices for Micro800 controllers

CVEs (4)

CVE-2023-48691 CVE-2023-48692 CVE-2023-48693 CVE-2025-7693

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2a0e7bed-079d-458e-8e5f-3b0c1dfac87b