OTPulse
FeedAboutContact

Rockwell Automation ControlLogix Ethernet Modules

Act Now9.8ICS-CERT ICSA-25-226-28Aug 14, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

This vulnerability in Rockwell Automation ControlLogix Ethernet Modules (1756-EN2T/D, 1756-EN2F/C, 1756-EN2TR/C, 1756-EN3TR/B, 1756-EN2TP/A) allows remote attackers to perform memory dumps, modify process memory, and control program execution flow without authentication. The vulnerability affects modules running firmware version 11.004 and earlier. Successful exploitation could allow an attacker to read sensitive data, alter active process setpoints, change control logic, or disrupt PLC operation.

What this means
What could happen
An attacker with network access to a ControlLogix Ethernet Module could read sensitive data from device memory, modify active process parameters or logic, or cause the PLC to malfunction or stop executing programs.
Who's at risk
Manufacturing facilities and utilities using Rockwell Automation ControlLogix systems with Ethernet communication modules (1756-EN2T/D, EN2F/C, EN2TR/C, EN3TR/B, EN2TP/A) for process automation, remote monitoring, or supervisory control are at risk. This affects plants running PLCs for water treatment, power distribution, manufacturing lines, and any critical process control relying on these modules.
How it could be exploited
An attacker sends specially crafted network packets to the Ethernet Module on its native port (port 2222 by default for EtherNet/IP). The module fails to properly validate the request, allowing the attacker to access memory directly without authentication. From there, the attacker can dump memory contents, modify running logic, or redirect program execution to malicious code.
Prerequisites
  • Network access to the Ethernet Module (port 2222 or configured alternative)
  • No valid credentials or authentication required
  • Module running firmware version 11.004 or earlier
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for affected versionsCritical CVSS score (9.8)Affects PLCs controlling safety-critical processes
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
1756-EN2T/D: <=11.004≤ 11.00412.001
1756-EN2F/C: <=11.004≤ 11.00412.001
1756-EN2TR/C: <=11.004≤ 11.00412.001
1756-EN2TP/A: <=11.004≤ 11.00412.001
1756-EN3TR/B: <=11.004≤ 11.00412.001
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict network access to ControlLogix Ethernet Modules: do not expose to the internet, place behind firewall, and isolate from business networks
WORKAROUNDIf remote access to the module is required, implement a VPN connection rather than direct internet exposure
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix Ethernet Module firmware to Version 12.001 or later
Long-term hardening
0/1
HARDENINGPerform network segmentation so ControlLogix devices operate on a dedicated control system network separated from corporate IT
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8b7f9547-f216-400d-88f2-58bd8635967b
Rockwell Automation ControlLogix Ethernet Modules | CVSS 9.8 - OTPulse