Rockwell Automation ControlLogix Ethernet Modules

Plan PatchCVSS 9.8ICS-CERT ICSA-25-226-28Aug 14, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation ControlLogix Ethernet Modules contain a vulnerability that allows remote attackers to perform memory dumps, modify memory, and control execution flow without authentication. Affected products include 1756-EN2T/D, 1756-EN2F/C, 1756-EN2TR/C, 1756-EN2TP/A, and 1756-EN3TR/B with firmware version 11.004 and earlier. The ControlLogix Ethernet Remote module (all versions) does not have a planned fix.

What this means

What could happen

An attacker could remotely dump memory from or gain arbitrary code execution on your ControlLogix Ethernet Modules, potentially altering process logic, modifying setpoints, or shutting down critical manufacturing or utility operations.

Who's at risk

This affects manufacturing plants, water utilities, power systems, and any facility using Rockwell ControlLogix Ethernet Modules for process automation. Equipment types include 1756-EN2 and 1756-EN3 series Ethernet modules used in industrial PLCs and process control systems. Utilities and industrial sites running these modules are at risk of operational disruption or unsafe process states.

How it could be exploited

An attacker with network access to your ControlLogix Ethernet Module (no credentials required) could send crafted network packets to trigger memory disclosure or code execution, allowing direct manipulation of PLC memory and program logic.

Prerequisites

Network access to the ControlLogix Ethernet Module on port 2222 (or standard EtherNet/IP ports)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects safety-critical control systems

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (6)

5 with fix1 EOL

ProductAffected VersionsFix Status

1756-EN2T/D: <=11.004≤ 11.00412.001

1756-EN2F/C: <=11.004≤ 11.00412.001

1756-EN2TR/C: <=11.004≤ 11.00412.001

1756-EN2TP/A: <=11.004≤ 11.00412.001

ControlLogix Ethernet RemoteAll versionsNo fix (EOL)

1756-EN3TR/B: <=11.004≤ 11.00412.001

Remediation & Mitigation

0/4

Do now

0/2

ControlLogix Ethernet Remote

WORKAROUNDFor ControlLogix Ethernet Remote modules (no patch available), implement strict firewall rules to deny inbound access and require VPN with multi-factor authentication for any remote access

All products

WORKAROUNDRestrict network access to ControlLogix Ethernet Modules from the internet and untrusted networks using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix Ethernet Modules (1756-EN2T/D, 1756-EN2F/C, 1756-EN2TR/C, 1756-EN2TP/A, 1756-EN3TR/B) to firmware version 12.001 or later

Mitigations - no patch available

0/1

ControlLogix Ethernet Remote has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate ControlLogix control system networks from business/IT networks using network segmentation or air-gapped architecture

CVEs (1)

CVE-2025-7353

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8b7f9547-f216-400d-88f2-58bd8635967b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.