Rockwell Automation Lifecycle Services with Cisco
Act NowCVSS 7.7ICS-CERT ICSA-25-282-02Oct 9, 2025
Rockwell AutomationManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Rockwell Automation Lifecycle Services with Cisco integrations (Industrial Data Center and managed support contracts) contain a buffer overflow vulnerability in handling user input, allowing authenticated users to execute arbitrary code. Affected are IDC Generations 1–5, IDC-Managed Support, Network-Managed Support (all versions), and Firewall-Managed Support contracts (all versions). The vulnerability has a CVSS score of 7.7 and is actively being exploited in the wild. Rockwell Automation has stated no firmware fix will be available; users must rely on network isolation, access controls, and Cisco-provided workarounds.
What this means
What could happen
An attacker with valid credentials could execute arbitrary code on affected Rockwell Automation Lifecycle Services platforms, potentially allowing them to alter manufacturing processes, disrupt production, or compromise control system integrity.
Who's at risk
Manufacturing facilities using Rockwell Automation Lifecycle Services for infrastructure management, particularly those with Industrial Data Center (IDC) deployments or managed support contracts that integrate Cisco networking equipment. This includes any organization relying on these services to manage plant networks, remote access, or automated support.
How it could be exploited
An attacker with valid user credentials gains network access to the Rockwell Automation Lifecycle Services platform. They exploit a buffer overflow vulnerability (CWE-121) in the service to execute arbitrary code with the privileges of the service account. Once code execution is achieved, the attacker can run commands on the platform, which may be networked to production PLCs and controllers.
Prerequisites
- Valid user credentials for Rockwell Automation Lifecycle Services
- Network access to the affected Lifecycle Services platform (typically internal or over managed VPN)
- The affected product must be running Generations 1–5 (IDC variants) or any version of Network/Firewall-Managed Support contracts
actively exploited (KEV)requires valid credentials but accessible remotelyaffects control system infrastructure management platformno vendor patch plannedbuffer overflow vulnerability (code execution risk)platform may have access to production control systems
Exploitability
Actively exploited — confirmed by CISA KEV
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Industrial Data Center (IDC) with Cisco Switching: >=Generations_1|<=5≥ Generations 1|≤ 5No fix (EOL)
IDC-Managed Support contract with Cisco Switching: >=Generations_1|<=5≥ Generations 1|≤ 5No fix (EOL)
Network-Managed Support contract with Cisco network switch: vers:all/*All versionsNo fix (EOL)
Firewall-Managed Support contract with Cisco firewall: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDContact Rockwell Automation immediately if you have an active Infrastructure Managed Service contract to receive remediation guidance and temporary mitigations
WORKAROUNDFor organizations without a managed services contract, apply Cisco's published workarounds for the underlying Cisco network infrastructure components
HARDENINGRestrict network access to the Rockwell Automation Lifecycle Services platform to authorized users and systems only; block internet-facing access
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGIsolate the Lifecycle Services platform from the production manufacturing network using firewalls or network segmentation; keep it on a separate management network
HARDENINGIf remote access to the Lifecycle Services platform is required, enforce VPN access with strong authentication (multi-factor authentication) and keep VPN software updated
HARDENINGMonitor all authentication and access attempts to the Lifecycle Services platform for suspicious activity; log and report any unauthorized access attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8df6d378-d2ee-42d7-b6c5-5356a28061abGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.