Rockwell Automation ControlLogix 5580

Plan PatchCVSS 7.5ICS-CERT ICSA-25-252-07Sep 9, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A null pointer dereference vulnerability (CWE-476) in Rockwell Automation ControlLogix 5580 controller firmware version 35.013 can cause a major nonrecoverable fault on the controller. Successful exploitation results in denial of service.

What this means

What could happen

An attacker with network access to the controller could trigger a crash that stops the PLC and requires manual restart, disrupting your process control operations until the device recovers.

Who's at risk

Water treatment and wastewater facilities, electric utilities, and other critical infrastructure operators using Rockwell Automation ControlLogix 5580 PLCs for process control should prioritize this update. Any site running firmware version 35.013 is affected.

How it could be exploited

An attacker who can reach the controller on your network could send a malformed command packet to trigger a null pointer dereference in the firmware, causing the PLC to fault and stop responding to legitimate process control commands.

Prerequisites

Network access to the ControlLogix 5580 controller (typically port 2222 for EtherNet/IP)
No credentials required
Controller firmware version 35.013

remotely exploitableno authentication requiredlow complexityaffects critical process control equipmentdenial of service/availability impact

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

ControlLogix 5580: 35.01335.01335.014+

ControlLogix 5580 V35.013All versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the ControlLogix 5580 controller—allow only authorized engineering workstations and HMI systems to communicate with it

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix 5580 firmware to version 35.014 or later

Mitigations - no patch available

0/1

ControlLogix 5580 V35.013 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the control system network from the business network using a firewall with ingress/egress rules that block unsolicited inbound traffic to the PLC

CVEs (1)

CVE-2025-9166

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/84769043-5c30-4f6a-8120-9d138e83307e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.