Rockwell Automation ArmorStart LT

MonitorCVSS 7.5ICS-CERT ICSA-26-029-02Jan 20, 2026

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ArmorStart LT soft starters (all versions, models 290D, 291D, 294D) are vulnerable to a denial-of-service condition caused by improper input validation (CWE-400). An unauthenticated attacker with network access to the device can send crafted packets that cause the device to become unresponsive. Rockwell Automation has not released a patch and has stated no fix is planned.

What this means

What could happen

An attacker on the network could send crafted packets to ArmorStart LT devices, causing them to stop responding and interrupt motor control operations until the device is restarted.

Who's at risk

Motor control system operators using Rockwell Automation ArmorStart LT soft starters (290D, 291D, 294D models) in industrial applications. These devices are commonly used to control large motors in pumping stations, compressors, and other critical equipment at water utilities and manufacturing facilities.

How it could be exploited

An attacker with network access to the ArmorStart LT device sends specially crafted packets that cause the device to exhaust resources and become unresponsive. No authentication or user interaction is required.

Prerequisites

Network access to ArmorStart LT device (TCP/IP connectivity)
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects industrial control equipment

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

ArmorStart LTAll versionsNo fix (EOL)

ArmorStart LT 290D: <=V2.002≤ V2.002No fix (EOL)

ArmorStart LT 291D: <=V2.002≤ V2.002No fix (EOL)

ArmorStart LT 294D: <=V2.002≤ V2.002No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

ArmorStart LT

HARDENINGRestrict network access to ArmorStart LT devices using firewall rules; allow only traffic from trusted engineering workstations and control systems

HARDENINGIsolate ArmorStart LT devices on a separate network segment or VLAN; do not expose them to untrusted networks or the internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

ArmorStart LT

HARDENINGImplement network monitoring to detect unusual traffic patterns or connection attempts to ArmorStart LT devices

WORKAROUNDMaintain current backups of ArmorStart LT configuration and be prepared to perform a factory reset and reconfiguration if a device becomes unresponsive

CVEs (9)

CVE-2025-9464 CVE-2025-9465 CVE-2025-9466 CVE-2025-9278 CVE-2025-9279 CVE-2025-9280 CVE-2025-9281 CVE-2025-9282 CVE-2025-9283

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5f26b393-3bbc-4070-8ec9-63302338d3b6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.