CISA 2026-06-16

Rockwell Automation CompactLogix

CVE-2025-11694

Machine-generated analysis · WAYSCloud LLM

The advisory states that exposed Connection IDs on the web interface can be abused to trigger a denial-of-service condition via improper validation of CIP protocol fields.

Context

Rockwell Automation CompactLogix is a programmable logic controller used in industrial automation systems. The advisory identifies two vulnerabilities involving improper validation of sequence numbers and source IP addresses in the CIP protocol, which could lead to denial-of-service conditions. The affected products are CompactLogix 5370 L1, L2, and L3 models running firmware versions below V38.011. The advisory explicitly notes the exposure of sensitive system information and the potential for unauthorized control sphere access.

Operator considerations

- Check: Inventory CompactLogix 5370 L1, L2, and L3 controllers running firmware versions below V38.011
- Patch: Update to firmware version V38.011 or later as recommended by Rockwell Automation
- Log: Monitor for unexpected CIP protocol traffic involving invalid sequence numbers or unauthorized source IP addresses

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

The following versions of Rockwell Automation CompactLogix are affected:

CompactLogix 5370 L1

CompactLogix 5370 L2

CompactLogix 5370 L3

Vendor

Equipment

Rockwell Automation

Rockwell Automation CompactLogix

Improper Validation of Integrity Check Value, Exposure of Sensitive System Information to an Unauthorized Control Sphere

Critical Infrastructure Sectors: Critical Manufacturing

Countries/Areas Deployed: Worldwide

Company Headquarters Location: United States

A security issue exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses in the CIP protocol. This allows attacker to abuse the exposed Connection ID's visible on the web interface to perform denial-of-service attacks, resulting in a minor fault...

Read the full advisory on CISA →