Rockwell Automation ArmorBlock 5000 I/O - Webserver

Plan Patch8.6ICS-CERT ICSA-25-226-27Aug 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation ArmorBlock 5000 I/O models 5032-CFGB16M12DR, 5032-CFGB16M12M12LDR, and 5032-CFGB16M12P5DR firmware versions 1.011 and earlier contain weak session management (CWE-863) and missing authorization checks (CWE-287) in the embedded webserver. These flaws allow an attacker to predict session tokens or bypass authentication to perform privileged actions such as configuration changes without valid credentials.

What this means

What could happen

An attacker with network access to the ArmorBlock 5000 I/O webserver could predict session tokens or perform privileged administrative actions without valid credentials, potentially allowing unauthorized configuration changes or process disruption at your facility.

Who's at risk

Water authorities and electric utilities using Rockwell Automation ArmorBlock 5000 I/O distributed I/O modules should care. These devices are used for remote field monitoring and control of pumps, motors, valves, and other critical assets. Compromised access could allow unauthorized changes to setpoints, equipment lockout/shutdown, or data exfiltration.

How it could be exploited

An attacker on the network reaches the ArmorBlock 5000 webserver (typically port 80 or 443) and exploits weak session management or missing authorization checks to either predict valid session numbers or bypass authentication to access privileged functions.

Prerequisites

Network access to the ArmorBlock 5000 I/O webserver (port 80 or 443)
Device must be reachable from attacker's network segment
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for affected versionsHigh CVSS score (8.6)Affects I/O control devices

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

5032-CFGB16M12M12LDR: <=1.011≤ 1.011No fix (EOL)

5032-CFGB16M12P5DR: <=1.011≤ 1.011No fix (EOL)

5032-CFGB16M12DR: <=1.011≤ 1.011No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate the ArmorBlock 5000 I/O devices behind a firewall; restrict network access to the webserver port (80/443) to only authorized engineering workstations or VPN connections

HARDENINGEnsure ArmorBlock 5000 devices are not exposed to the Internet or business network; segment them onto a separate control system network

HARDENINGIf remote access is required, enforce access through a VPN with strong authentication (multi-factor if possible) rather than direct Internet access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXCheck Rockwell Automation's release notes for any firmware updates that address these vulnerabilities and plan a maintenance window to install if available

CVEs (2)

CVE-2025-7773 CVE-2025-7774

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cfebb78a-cea1-4aca-814f-7679198e67df