Rockwell Automation Micro820, Micro850, Micro870

MonitorCVSS 7.5ICS-CERT ICSA-25-352-07Dec 9, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Denial-of-service vulnerabilities (CWE-1395, CWE-763) in Rockwell Automation Micro820, Micro850, and Micro870 controllers allow remote attackers without authentication to cause the device to become unresponsive. Micro820 V14.011 and prior versions, and Micro850/870 devices with older firmware are vulnerable. For Micro820, only migration to newer L20E hardware addresses the issue. Micro850/870 controllers can be patched with firmware updates. One vulnerability is specifically triggered via IPv6 traffic.

What this means

What could happen

An attacker on the network could cause the Micro820/850/870 controller to become unresponsive, disrupting automated processes and potentially halting production or utility operations. The device would need to be restarted to restore function.

Who's at risk

Water and electric utilities, water treatment facilities, and any organization using Rockwell Automation Micro820, Micro850, or Micro870 controllers for process automation, pump control, or distribution system management. These are compact programmable controllers commonly found in smaller industrial and municipal applications.

How it could be exploited

An attacker with network access to the controller sends a specially crafted packet that triggers a denial-of-service condition. For IPv6-based exploitation (CVE-2025-13823), the attacker can send malicious IPv6 traffic without authentication. The controller becomes unresponsive and stops executing control logic.

Prerequisites

Network access to the controller (Layer 3 reachability)
No authentication required
IPv6 enabled on the device (for CVE-2025-13823)

remotely exploitableno authentication requiredlow complexityaffects industrial control systemsno vendor patch available for older hardware

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Micro820, Micro850, Micro870All versionsNo fix (EOL)

Micro820: <=V14.011≤ V14.011No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable IPv6 functionality on affected controllers if IPv6 is not required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Micro820 controllers to L20E V23.011 or later

HOTFIXUpdate Micro850/Micro870 controllers to V12.013 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Micro820, Micro850, Micro870, Micro820: <=V14.011. Apply the following compensating controls:

HARDENINGRestrict network access to Micro820/850/870 controllers using firewall rules to allow traffic only from authorized engineering workstations and SCADA systems

CVEs (2)

CVE-2025-13823 CVE-2025-13824

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c47e079f-c6df-4e27-b3cb-47074e180b93

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.