Rockwell Automation Stratix
Act NowCVSS 7.7ICS-CERT ICSA-25-282-03Sep 26, 2025
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A stack-based buffer overflow vulnerability exists in Rockwell Automation Stratix switches (Lifecycle Services and 5200/5400/5410/5700/5800 series, all versions). Successful exploitation requires network access to the device management interface and valid user credentials. An attacker could execute arbitrary code with elevated privileges, potentially compromising network traffic, industrial device communications, or switch operations. Rockwell Automation has not released patches and recommends implementing Cisco security workarounds and network access controls.
What this means
What could happen
An attacker with network access and valid credentials could run arbitrary code on Stratix switches, potentially altering network configurations, redirecting industrial traffic, or disrupting communications to PLCs and field devices.
Who's at risk
Water and electric utilities, manufacturing facilities, and other industrial sites operating Rockwell Automation Stratix switches for industrial network infrastructure should be concerned. This includes any organization using Lifecycle Services with Stratix, and specifically Stratix 5200, 5400, 5410, 5700, and 5800 series switches that operate PLCs, RTUs, and field devices.
How it could be exploited
An attacker gains network access to a Stratix switch (in-band or management interface), logs in with valid credentials, and exploits a stack-based buffer overflow to execute arbitrary code with elevated privileges on the device.
Prerequisites
- Network access to Stratix management interface (SSH, Telnet, or web GUI)
- Valid user credentials (read or higher privilege level)
- Ability to send crafted input to a vulnerable service
remotely exploitablevalid credentials requiredactively exploited (KEV)no patch availableaffects network infrastructurestack-based overflow (potential for code reuse attacks)
Exploitability
Actively exploited — confirmed by CISA KEV
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (7)
1 pending6 EOL
ProductAffected VersionsFix Status
Lifecycle Services VulnerableAll versionsNo fix (EOL)
Stratix Impact toAll versionsNo fix yet
Stratix 5200: <=v17.17.01≤ v17.17.01No fix (EOL)
Stratix 5700: <=v15.28E7≤ v15.28E7No fix (EOL)
Stratix 5400: <=v15.28E7≤ v15.28E7No fix (EOL)
Stratix 5410: <=v15.28E7≤ v15.28E7No fix (EOL)
Stratix 5800: <=v17.17.01≤ v17.17.01No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDRestrict network access to Stratix management interfaces using firewall rules; allow only trusted engineering workstations and control system networks to connect to SSH (port 22) and HTTP/HTTPS management ports
HARDENINGEnforce strong, unique credentials for all Stratix administrative accounts and disable any default or shared accounts
WORKAROUNDImplement Cisco-recommended security workarounds specific to this vulnerability on affected Stratix devices (reference Rockwell Automation security advisory for details)
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Lifecycle Services Vulnerable, Stratix 5200: <=v17.17.01, Stratix 5700: <=v15.28E7, Stratix 5400: <=v15.28E7, Stratix 5410: <=v15.28E7, Stratix 5800: <=v17.17.01. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate Stratix switches from untrusted networks and the internet; place them on a separate industrial network behind a firewall
HARDENINGIf remote access to Stratix devices is required, use a VPN gateway or jump host rather than exposing management interfaces directly; ensure the VPN is updated to the latest patched version
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4b44fedc-9617-404a-8607-097a9011075cGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.