Rockwell Automation CompactLogix® 5480

Monitor6.8ICS-CERT ICSA-25-252-06Sep 9, 2025

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing authentication check (CWE-306) in Rockwell Automation CompactLogix 5480 firmware version 32-37.011_with_Windows_package_2.1.0_Win10_v1607 allows arbitrary code execution. The vulnerability requires physical access to the device and is not remotely exploitable. Successful exploitation could result in unauthorized code execution on the PLC, enabling an attacker to alter process logic or control setpoints.

What this means

What could happen

An attacker with physical access to a CompactLogix 5480 controller could execute arbitrary code, potentially altering PLC logic, process setpoints, or shutting down critical operations in water treatment, distribution, or power systems.

Who's at risk

Water utilities, municipal electric utilities, and other critical infrastructure operators running CompactLogix 5480 controllers in SCADA systems, PLC logic controllers, or process automation equipment should assess exposure. This affects any organization where the 32-37.011_with_Windows_package_2.1.0_Win10_v1607 version is deployed.

How it could be exploited

An attacker would need physical access to the device. Once at the device, they could exploit the missing authentication check (CWE-306) to inject and execute arbitrary code on the PLC without requiring valid credentials or interaction from the operator.

Prerequisites

Physical access to the CompactLogix 5480 controller
No credentials or authentication required once physical access is obtained

no authentication requiredno patch availablephysical access required (mitigates risk)affects safety systems (potential)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

CompactLogix® 5480: 32-37.011_with_Windows_package_2.1.0_Win10_v160732-37.011 with Windows package 2.1.0 Win10 v1607No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical access to CompactLogix 5480 devices using locked cabinets or equipment rooms with badge/key control

HARDENINGPlace CompactLogix 5480 controllers behind locked mechanical covers or enclosures to prevent unauthorized physical connection

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate PLC networks behind firewalls to prevent any remote access attempts, recognizing this vulnerability requires physical access but limiting overall attack surface

Long-term hardening

0/1

HARDENINGMonitor physical access logs and security camera footage of equipment rooms where CompactLogix 5480 controllers are installed

CVEs (1)

CVE-2025-9160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/67d63862-8f21-4b54-9602-b87b732825ac