Rockwell Automation Micro820, Micro850, Micro870

Monitor7.5ICS-CERT ICSA-25-352-07Dec 18, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Denial-of-service vulnerabilities in Rockwell Automation Micro820, Micro850, and Micro870 controllers (CVE-2025-13823 and related) can cause the affected controllers to become unresponsive when handling specially crafted network traffic. Micro820 V14.011 and prior have no patch available; Micro850/870 versions prior to V12.013 are vulnerable. The vulnerability exists due to improper handling of network input (CWE-1395, CWE-763) and affects IPv4 and IPv6 protocols.

What this means

What could happen

An attacker could cause a denial-of-service condition that stops the controller from responding, halting monitoring and control of connected process equipment like pumps, motors, or valve actuators until the device is manually restarted.

Who's at risk

Water utilities, electric distribution operators, and other municipalities running Rockwell Automation Micro820, Micro850, or Micro870 programmable logic controllers (PLCs) for pump stations, motor control centers, or SCADA I/O modules should assess their exposure. Any facility using these controllers for critical process control is at risk.

How it could be exploited

An attacker with network access to the controller can send specially crafted network packets to trigger a crash or resource exhaustion condition, causing the Micro820/850/870 to stop accepting commands and become unresponsive.

Prerequisites

Network access to the Micro820/850/870 controller on the port(s) it listens to
No authentication required to trigger the vulnerability

Remotely exploitableNo authentication requiredLow complexity attackAffects critical control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Micro820: <=V14.011≤ V14.011No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable IPv6 functionalities on affected devices if IPv6 is not required for operations

HARDENINGImplement firewall rules to restrict network access to controller ports from trusted engineering networks only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Micro820 controllers to L20E V23.011 or later

HOTFIXUpdate Micro850/870 controllers to V12.013 or later

CVEs (2)

CVE-2025-13823 CVE-2025-13824

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c47e079f-c6df-4e27-b3cb-47074e180b93