---
title: "Critical Flaw in Rockwell Automation CompactLogix 5370 Triggers DoS Risks"
short_title: "Rockwell CompactLogix 5370 DoS vulnerability"
description: "Rockwell Automation CompactLogix 5370 plagued by CVE-2025-11743, a medium-severity flaw causing denial-of-service. Learn mitigation steps and protect critical systems now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [rockwell-automation, cve-2025-11743, dos, ics-security, critical-manufacturing]
score: 0.75
cve_ids: [CVE-2025-11743]
---
TL;DR
Rockwell Automation’s CompactLogix 5370 controllers are vulnerable to CVE-2025-11743, a medium-severity flaw that could allow attackers to trigger a denial-of-service (DoS) condition via malformed CIP forward open messages. Affected systems require a manual restart to recover, posing risks to critical manufacturing operations. Patches and mitigation strategies are now available.
---
Main Content
Introduction
Industrial control systems (ICS) are the backbone of critical infrastructure, and vulnerabilities in these systems can have far-reaching consequences. Rockwell Automation, a global leader in industrial automation, has disclosed a denial-of-service (DoS) vulnerability in its CompactLogix 5370 controllers. Tracked as CVE-2025-11743, this flaw could disrupt operations in critical manufacturing sectors worldwide. Here’s what you need to know.
---
Key Points
- Vulnerability Impact: Exploitation of CVE-2025-11743 could cause a major nonrecoverable fault, requiring a manual restart of affected devices.
- Affected Versions: CompactLogix 5370 controllers running versions ≤34.013, ≤35.012, or 36.011 are vulnerable.
- CVSS Score: The flaw has a medium severity score of 6.5, with a vector string of CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
- Mitigation: Rockwell Automation has released patched versions (37.011 and later, 34.016, 35.015, and 36.012) and recommends immediate upgrades.
- Deployment: The affected controllers are deployed worldwide, primarily in critical manufacturing sectors.
---
Technical Details
#### Vulnerability Overview
CVE-2025-11743 stems from an improper validation of specified quantity in input, specifically in the handling of CIP (Common Industrial Protocol) forward open messages. When a malformed CIP message is sent to an affected device, it triggers a major nonrecoverable fault, effectively crashing the system. Recovery requires a manual restart, which could lead to significant downtime in industrial environments.
#### Attack Vector
- Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- AV:A (Adjacent Network): Exploitation requires access to the same network segment as the target device.
- AC:L (Low Complexity): The attack is straightforward to execute and does not require advanced techniques.
- PR:N (No Privileges Required): No authentication or elevated privileges are needed to exploit the flaw.
- UI:N (No User Interaction): The attack does not require any action from the user.
- A:H (High Availability Impact): The flaw causes a complete loss of availability, requiring manual intervention.
#### Affected Systems
The following versions of Rockwell Automation CompactLogix 5370 are affected:
- ≤34.013
- ≤35.012
- 36.011
---
Impact Assessment
#### Operational Risks
The denial-of-service condition caused by CVE-2025-11743 poses severe risks to industrial operations, particularly in critical manufacturing environments. A successful attack could lead to:
- Unplanned downtime, disrupting production lines and supply chains.
- Financial losses due to halted operations and recovery efforts.
- Safety risks if the DoS condition affects safety-critical systems.
#### Sector-Specific Concerns
The vulnerability is particularly concerning for critical manufacturing sectors, where uninterrupted operations are essential. Given the global deployment of CompactLogix 5370 controllers, organizations worldwide must act swiftly to mitigate risks.
---
Mitigation Steps
Rockwell Automation has released patched versions of the affected firmware to address CVE-2025-11743. Users are urged to upgrade to one of the following versions:
- 37.011 and later
- 34.016
- 35.015
- 36.012
#### Additional Recommendations
For organizations unable to upgrade immediately, Rockwell Automation recommends the following security best practices:
1. Minimize Network Exposure: Ensure control system devices are not accessible from the internet and are isolated from business networks.
2. Use Firewalls: Locate control system networks behind firewalls to limit access.
3. Secure Remote Access: When remote access is necessary, use secure methods like VPNs, ensuring they are updated to the latest version.
4. Follow CISA Guidelines: Refer to CISA’s [recommended practices for ICS security](https://www.cisa.gov/ics) and implement defense-in-depth strategies.
For more details, refer to Rockwell Automation’s advisory SD1770 on their [security page](https://www.rockwellautomation.com/security).
---
Conclusion
CVE-2025-11743 highlights the critical importance of securing industrial control systems against evolving cyber threats. While the vulnerability is classified as medium severity, its potential impact on critical manufacturing operations cannot be underestimated. Organizations using Rockwell Automation CompactLogix 5370 controllers must prioritize patching and adhere to security best practices to mitigate risks.
Stay vigilant, monitor for updates, and ensure your systems are protected against this and future threats.
---
References
[^1]: Cybersecurity and Infrastructure Security Agency (CISA). "[ICS Advisory (ICSA-26-022-03) Rockwell Automation CompactLogix 5370](https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-03)". Retrieved 2025-01-24.
[^2]: Rockwell Automation. "[Security Advisory SD1770](https://www.rockwellautomation.com/security)". Retrieved 2025-01-24.
[^3]: National Vulnerability Database (NVD). "[CVE-2025-11743 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-11743)". Retrieved 2025-01-24.