OTPulse

Rockwell Automation Micro800

Plan PatchCVSS 9.8ICS-CERT ICSA-25-226-25Aug 14, 2025
Rockwell AutomationManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Rockwell Automation Micro800 PLCs contain vulnerabilities that could allow remote code execution without authentication or user interaction. Successful exploitation could enable an attacker to run arbitrary code on the PLC, potentially disrupting industrial processes or altering equipment behavior. The vulnerabilities affect multiple Micro800 product lines: Micro820 LC20 (no fix available, migration recommended), Micro850 LC50 (no fix available, migration recommended), Micro870 LC70 (no fix available, migration recommended), Micro850 L50E (fixed in V23.011), and Micro870 L70E (fixed in V23.011). Legacy LC-series models are end-of-life and will not receive security updates.

What this means
What could happen
An attacker with network access to a Micro800 PLC could execute arbitrary code on the device, potentially altering process setpoints, stopping production, or causing unsafe equipment operation. Depending on access permissions, the attacker could also escalate privileges to engineering-level control.
Who's at risk
Manufacturing facilities using Rockwell Automation Micro800 PLCs (Micro820, Micro850, Micro870 series) in production automation, motor control, pump stations, or other process control applications should assess their exposure. The vulnerability affects both legacy models (LC20, LC50, LC70) and newer models (L50E, L70E) if running vulnerable firmware versions.
How it could be exploited
An attacker on the network segment containing the PLC can send crafted packets to the device without authentication, triggering remote code execution. The low complexity of the attack and lack of user interaction required means the attacker can exploit the vulnerability remotely and directly.
Prerequisites
  • Network access to the Micro800 PLC from an untrusted network segment
  • No credentials required
remotely exploitableno authentication requiredlow complexityaffects production control systemslegacy models (LC-series) will not receive patches
Exploitability
Some exploitation risk — EPSS score 5.0%
Affected products (5)
2 with fix3 EOL
ProductAffected VersionsFix Status
PLC Micro820 LC20: <V14.011<V14.011No fix (EOL)
PLC Micro850 LC50: <V12.013<V12.013No fix (EOL)
PLC Micro870 LC70: <V12.013<V12.013No fix (EOL)
PLC Micro850 L50E: >=V20.011|<=V22.011≥ V20.011|≤ V22.011V23.011
PLC Micro870 L70E: >=V20.011|<=V22.011≥ V20.011|≤ V22.011V23.011
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDRestrict network access to Micro800 PLCs using firewall rules; ensure they are not reachable from the internet or untrusted network segments
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Micro850 L50E to firmware version V23.011 or later
HOTFIXUpdate Micro870 L70E to firmware version V23.011 or later
Long-term hardening
0/1
HOTFIXFor Micro820 LC20, Micro850 LC50, and Micro870 LC70: Plan migration to newer hardware models (L20E, L50E, L70E) running V23.011 or later, as these end-of-life devices will not receive security updates
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: PLC Micro820 LC20: <V14.011, PLC Micro850 LC50: <V12.013, PLC Micro870 LC70: <V12.013. Apply the following compensating controls:
HARDENINGIsolate control system networks from business networks using network segmentation or air-gapping
HARDENINGIf remote access to PLCs is required, implement a secure VPN with current security patches rather than direct network exposure
View full CISA ICS-CERT advisory
API: /api/v1/advisories/2a0e7bed-079d-458e-8e5f-3b0c1dfac87b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Rockwell Automation Micro800 | CVSS 9.8 - OTPulse