OTPulse
FeedAboutContact

Rockwell Automation ControlLogix 5580

Plan Patch7.5ICS-CERT ICSA-25-252-07Sep 9, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The ControlLogix 5580 controller contains a null pointer dereference vulnerability (CWE-476) in version 35.013. A remote attacker can send a specially crafted message over the network to trigger a major nonrecoverable fault, causing the controller to crash and stop processing. The controller must be manually recovered, disrupting automation until it restarts. Rockwell Automation recommends updating to firmware version 35.014 or later.

What this means
What could happen
A remote attacker could trigger a major nonrecoverable fault on a ControlLogix 5580 controller, causing it to stop responding and requiring manual recovery. This disrupts process control and plant operations until the controller is recovered.
Who's at risk
Water treatment authorities, electric utilities, and any facility relying on Rockwell ControlLogix 5580 controllers for critical process automation. This affects PLCs managing pressure regulation, chemical dosing, power distribution, and other essential operations.
How it could be exploited
An attacker with network access to the ControlLogix 5580 controller can send a specially crafted message that triggers a null pointer dereference or similar memory fault in the firmware. No authentication or complex conditions are required; the fault can be triggered remotely over the network.
Prerequisites
  • Network reachability to the ControlLogix 5580 controller (typically port 2222 for EtherNet/IP or proprietary Rockwell ports)
  • No authentication required
remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5)affects safety-critical systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
ControlLogix 5580: 35.01335.01335.014 or later
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDIf firmware upgrade cannot be scheduled, configure firewall rules to restrict network access to the ControlLogix 5580 controller—allow only known engineering workstations and control system networks, deny internet-facing exposure
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix 5580 firmware to version 35.014 or later
Long-term hardening
0/2
HARDENINGIsolate control system networks from business networks using network segmentation (DMZ, firewall rules, or air gap)
HARDENINGIf remote access to the controller is required, implement VPN with strong authentication and keep VPN software updated
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/84769043-5c30-4f6a-8120-9d138e83307e
Rockwell Automation ControlLogix 5580 | CVSS 7.5 - OTPulse