OTPulse

Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP

MonitorCVSS 7.5ICS-CERT ICSA-26-167-03Jun 16, 2026
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Rockwell Automation CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570 controllers contain a vulnerability that allows remote attackers to cause a denial-of-service condition resulting in a major nonrecoverable fault (MNRF) via the Common Industrial Protocol (CIP). No user interaction or authentication is required. The vulnerability affects all versions of Logix 5370 and specific versions of the other controllers as listed.

What this means
What could happen
An attacker could remotely trigger a major nonrecoverable fault on your PLC, stopping process execution and potentially requiring manual intervention to recover. This could result in extended downtime of critical production systems.
Who's at risk
Water utilities, electric utilities, and any facility using Rockwell Automation CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, or GuardLogix 5570 controllers should prioritize this. These PLCs are commonly used in SCADA systems, pump stations, water treatment, and power distribution. GuardLogix models are especially critical because they are often deployed in safety-instrumented systems (SIS) where unplanned shutdowns can have serious consequences.
How it could be exploited
An attacker sends a specially crafted CIP packet to the controller over the network. The controller processes the packet without proper validation, triggering a critical fault that stops all program execution. The attacker needs only network-level access to the controller's IP address and CIP port (typically UDP/TCP 2222)—no credentials or engineering access required.
Prerequisites
  • Network access to controller on CIP port (UDP/TCP 2222)
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects safety systemshigh CVSS score (7.5)
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
CompactLogix 5370≤ 34.016Fix available
Compact GuardLogix 5370≤ 35.015Fix available
ControlLogix 5570≤ 35.015Fix available
GuardLogix 5570: 36.01236.012Fix available
Logix 5370 andAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDRestrict network access to CIP ports (UDP/TCP 2222) to only authorized engineering workstations and trusted networks; block external or untrusted traffic at the network boundary
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

CompactLogix 5370
HOTFIXUpdate CompactLogix 5370 to firmware version 34.016 or later
Compact GuardLogix 5370
HOTFIXUpdate Compact GuardLogix 5370 to firmware version 35.015 or later
ControlLogix 5570
HOTFIXUpdate ControlLogix 5570 to firmware version 36.012 or later
All products
HOTFIXUpdate GuardLogix 5570 to firmware version 37.011 or later
Mitigations - no patch available
0/1
Logix 5370 and has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment Logix 5370 controllers on an isolated network or VLAN separate from untrusted networks, as no patch is available for that product line
View full CISA ICS-CERT advisory
API: /api/v1/advisories/23c38fa3-d7b9-46dd-8985-8d85e8bef65e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP | CVSS 7.5 - OTPulse