Rockwell Automation ArmorStart LT

Monitor7.5ICS-CERT ICSA-26-029-02Jan 29, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Denial-of-service vulnerability in Rockwell Automation ArmorStart LT soft starters (models 290D, 291D, 294D running firmware version 2.002 and earlier). An attacker can craft and send network packets that cause the device to exhaust resources and become unresponsive, interrupting its ability to control motor startup. The vulnerability stems from improper resource handling and input validation (CWE-400). No patch is available; Rockwell Automation recommends applying security best practices for mitigation.

What this means

What could happen

An attacker could trigger a denial-of-service condition on ArmorStart LT soft starters, causing them to stop responding and potentially interrupting motor startup and industrial equipment operation.

Who's at risk

Manufacturing and utility operators using Rockwell Automation ArmorStart LT soft starters (290D, 291D, 294D models) for motor control in pumps, fans, compressors, and other critical industrial equipment. Any facility relying on these devices for process continuity is affected.

How it could be exploited

An attacker on the network sends crafted packets to the ArmorStart LT device (port and protocol unspecified in advisory). The device fails to properly handle resource allocation or input validation, exhausting available resources and becoming unresponsive to legitimate commands.

Prerequisites

Network access to the ArmorStart LT device
No authentication required
Device must be accessible on the network where attack traffic originates

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects motor control and equipment startup

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

ArmorStart LT 290D: <=V2.002≤ V2.002No fix (EOL)

ArmorStart LT 291D: <=V2.002≤ V2.002No fix (EOL)

ArmorStart LT 294D: <=V2.002≤ V2.002No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDeploy a firewall or network access control to block unauthorized traffic to ArmorStart LT devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGReview Rockwell Automation SD1768 advisory for additional security best practices

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: ArmorStart LT 290D: <=V2.002, ArmorStart LT 291D: <=V2.002, ArmorStart LT 294D: <=V2.002. Apply the following compensating controls:

HARDENINGImplement network segmentation to restrict access to ArmorStart LT devices from untrusted networks or subnets

HARDENINGDisable unused ports and services on the ArmorStart LT device

HARDENINGMonitor ArmorStart LT devices for unexpected loss of responsiveness or connectivity

CVEs (9)

CVE-2025-9464 CVE-2025-9465 CVE-2025-9466 CVE-2025-9278 CVE-2025-9279 CVE-2025-9280 CVE-2025-9281 CVE-2025-9282 CVE-2025-9283

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5f26b393-3bbc-4070-8ec9-63302338d3b6