Rockwell Automation Stratix

Act Now7.7ICS-CERT ICSA-25-282-03Oct 9, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Vulnerability in Rockwell Automation Stratix industrial managed switches allows arbitrary code execution on affected devices. The vulnerability requires login credentials (authentication) but can impact the availability and integrity of network operations if exploited. Affected versions: Stratix 5700, 5400, 5410 ≤v15.28E7; Stratix 5200, 5800 ≤v17.17.01. No vendor patches are available at this time.

What this means

What could happen

An attacker with network access and login credentials could execute arbitrary code on Stratix switches, potentially disrupting network connectivity for critical plant equipment like PLCs, RTUs, and HMIs. This could halt production operations or compromise control system communications.

Who's at risk

Water authorities and utilities operating Rockwell Automation Stratix 5200, 5400, 5410, 5700, or 5800 managed industrial switches. These devices are commonly used in SCADA networks to connect PLCs, RTUs, remote terminal units, and engineering workstations. Compromised switches could disrupt communications between control room systems and field equipment.

How it could be exploited

An attacker must first gain access to your network and authenticate to the Stratix switch management interface using valid credentials. Once authenticated, the attacker can exploit the code execution vulnerability to run arbitrary commands on the switch. Network access could come through compromised engineering workstations, vendor support connections, or lateral movement from compromised IT systems.

Prerequisites

Network connectivity to the Stratix switch management interface (typically port 22 SSH or port 80/443 HTTPS)
Valid login credentials for the Stratix switch (engineering workstation account or administrative account)
Device running a vulnerable firmware version (≤v15.28E7 for 5700/5400/5410, ≤v17.17.01 for 5200/5800)

Remotely exploitable via networkRequires valid credentials (reduces but does not eliminate risk)Actively exploited (KEV status)No patch available from vendorAffects network infrastructure supporting safety-critical operationsHigh CVSS score (7.7)

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Stratix 5200: <=v17.17.01≤ v17.17.01No fix (EOL)

Stratix 5700: <=v15.28E7≤ v15.28E7No fix (EOL)

Stratix 5400: <=v15.28E7≤ v15.28E7No fix (EOL)

Stratix 5410: <=v15.28E7≤ v15.28E7No fix (EOL)

Stratix 5800: <=v17.17.01≤ v17.17.01No fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict network access to Stratix switch management interfaces. Allow SSH/HTTPS access only from trusted engineering workstations and administrative networks. Use firewall rules to block access from the business network and internet.

HARDENINGEnforce strong, unique passwords on all Stratix switch administrative accounts. If possible, implement account lockout policies to prevent credential brute-force attempts.

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HARDENINGDisable remote management access to Stratix switches unless absolutely required. Use out-of-band management (serial console) or local access for routine maintenance.

HARDENINGMonitor Stratix switch access logs for unexpected login attempts or administrative activity. Alert on failed authentication attempts and unusual command execution.

HARDENINGIf remote access to Stratix switches is required, use a VPN with multi-factor authentication and encrypt all traffic. Ensure VPN software is patched to the latest version.

HOTFIXMonitor the Rockwell Automation security page and CISA advisories for future patches or firmware updates. Establish a process to apply patches within 30 days of release.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Stratix 5200: <=v17.17.01, Stratix 5700: <=v15.28E7, Stratix 5400: <=v15.28E7, Stratix 5410: <=v15.28E7, Stratix 5800: <=v17.17.01. Apply the following compensating controls:

HARDENINGSegment the SCADA network so Stratix switches are isolated from business networks and the internet. Implement network access controls between control system zones.

CVEs (1)

CVE-2025-20352

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b44fedc-9617-404a-8607-097a9011075c