Rockwell Automation ArmorBlock 5000 I/O - Webserver

Plan PatchCVSS 8.6ICS-CERT ICSA-25-226-27Aug 14, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation ArmorBlock 5000 I/O webserver contains authorization and authentication flaws (CWE-863, CWE-287) that allow attackers to predict session identifiers and perform privileged actions without proper authorization. Affected models 5032-CFGB16M12M12LDR, 5032-CFGB16M12P5DR, and 5032-CFGB16M12DR running firmware version 1.011 and below are vulnerable. No firmware updates are planned by Rockwell Automation.

What this means

What could happen

An attacker with network access to the ArmorBlock 5000 webserver could hijack admin sessions or execute unauthorized commands, potentially altering I/O settings, process parameters, or stopping field operations controlled by the device.

Who's at risk

Water authorities, electric utilities, and manufacturers using Rockwell Automation ArmorBlock 5000 I/O modules for remote field device control should assess their exposure. This impacts facilities that rely on the webserver for configuration, monitoring, or operation of distributed I/O across pump stations, substations, or remote process equipment.

How it could be exploited

An attacker on the network reaches the device's webserver (port 80/443). By exploiting the weak session ID generation or lack of authorization checks, the attacker predicts a valid session token or escalates to administrator privileges without credentials, then executes commands to modify I/O configuration or process settings.

Prerequisites

Network access to the ArmorBlock 5000 webserver
Direct or routed connectivity to HTTP/HTTPS ports on the device

remotely exploitableno authentication required for some functionslow complexityno patch availableaffects remote I/O control in distributed environments

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

5032-CFGB16M12M12LDR: <=1.011≤ 1.011No fix (EOL)

5032-CFGB16M12P5DR: <=1.011≤ 1.011No fix (EOL)

5032-CFGB16M12DR: <=1.011≤ 1.011No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate ArmorBlock 5000 devices from business networks; place them behind firewalls with access restricted to authorized engineering workstations only

HARDENINGDisable direct Internet access to the webserver; ensure devices are not reachable from outside your facility network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote engineering access is required, route all connections through a secure VPN or jump server rather than exposing the webserver directly

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: 5032-CFGB16M12M12LDR: <=1.011, 5032-CFGB16M12P5DR: <=1.011, 5032-CFGB16M12DR: <=1.011. Apply the following compensating controls:

HARDENINGMonitor webserver access logs for suspicious session activity or unexpected administrative commands

CVEs (2)

CVE-2025-7773 CVE-2025-7774

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cfebb78a-cea1-4aca-814f-7679198e67df

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.