Rockwell Automation CompactLogix

MonitorCVSS 7.5ICS-CERT ICSA-26-167-04Jun 16, 2026

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CompactLogix 5370 L1, L2, and L3 controllers with firmware versions before V38.011 are vulnerable to a denial-of-service attack triggered by malformed network packets. An attacker with network access to the controller can send a specially crafted packet that crashes the device, forcing a restart and interrupting process control. The vulnerability is due to improper input validation (CWE-354, CWE-497) in the controller's packet processing. CompactLogix 5370 controllers in general have no fix planned and remain vulnerable.

What this means

What could happen

An attacker with network access to a CompactLogix PLC could crash the controller, halting process control and production until the device is manually restarted. This causes immediate loss of operational capability.

Who's at risk

Water and electric utility operators who use CompactLogix 5370 controllers in critical process control loops should be concerned. These PLCs commonly control pump stations, water treatment processes, distribution systems, and electrical substation automation. Any organization running firmware versions before V38.011 is at risk of unplanned downtime.

How it could be exploited

An attacker sends a specially crafted network packet to the CompactLogix controller on its standard Ethernet port (port 2222 for EtherNet/IP). The malformed packet triggers a crash in the controller's packet parsing logic, forcing a restart and disconnecting all dependent processes.

Prerequisites

Network reachability to the CompactLogix controller on port 2222 or standard EtherNet/IP port 44818
No authentication required

remotely exploitableno authentication requiredlow complexityaffects critical process controlcauses denial of service

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (4)

3 pending1 EOL

ProductAffected VersionsFix Status

CompactLogix 5370 L1<V38.011No fix yet

CompactLogix 5370 L2<V38.011No fix yet

CompactLogix 5370 L3<V38.011No fix yet

CompactLogix 5370 ControllersAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to CompactLogix controllers by implementing firewall rules to deny inbound traffic on ports 2222 and 44818 from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

CompactLogix 5370 L1

HOTFIXUpdate CompactLogix 5370 L1, L2, and L3 controllers to firmware version V38.011 or later

Mitigations - no patch available

0/1

CompactLogix 5370 Controllers has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate CompactLogix controllers on a dedicated OT network separate from corporate IT networks and the internet

CVEs (2)

CVE-2025-11694 CVE-2026-9307

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3c75e51c-49c5-4f61-a6aa-6871ebec9d9f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.