---
title: "Critical Flaws in Rockwell Automation ArmorStart LT Trigger DoS Attacks"
short_title: "Rockwell Automation ArmorStart LT DoS vulnerabilities"
description: "Nine high-severity vulnerabilities in Rockwell Automation ArmorStart LT could allow attackers to cause denial-of-service conditions. Learn mitigation steps now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [rockwell-automation, dos, cve-2025, industrial-security, ot-security]
score: 0.78
cve_ids: [CVE-2025-9464, CVE-2025-9465, CVE-2025-9466, CVE-2025-9278, CVE-2025-9279, CVE-2025-9280, CVE-2025-9281, CVE-2025-9282, CVE-2025-9283]
---
TL;DR
Rockwell Automation ArmorStart LT devices are affected by nine high-severity vulnerabilities (CVSS 7.5) that could enable attackers to trigger denial-of-service (DoS) conditions. No patches are currently available, but Rockwell Automation recommends implementing security best practices to mitigate risks. These flaws impact critical manufacturing sectors worldwide.
---
Main Content
Introduction
Rockwell Automation, a global leader in industrial automation, has disclosed nine critical vulnerabilities in its ArmorStart LT distributed motor controllers. These flaws, all rated high severity (CVSS 7.5), could allow threat actors to disrupt operations by causing denial-of-service (DoS) conditions. Affected devices are widely deployed in critical manufacturing sectors, raising concerns about potential operational disruptions.
Key Points
- Nine high-severity vulnerabilities (CVE-2025-9464 to CVE-2025-9283) affect Rockwell Automation ArmorStart LT devices.
- Exploitation could lead to DoS conditions, disrupting industrial operations.
- No patches are available yet; Rockwell Automation advises applying security best practices.
- Affected versions include ArmorStart LT 290D, 291D, and 294D (≤V2.002).
- Vulnerabilities stem from uncontrolled resource consumption during fuzzing and stress tests.
---
Technical Details
The vulnerabilities were identified during security testing, including fuzzing, active scanning, and stress tests. Each flaw triggers a DoS condition through different methods:
1. CVE-2025-9464: Triggered during fuzzing of CIP classes, causing the CIP port to become unresponsive.
2. CVE-2025-9465: Detected during Achilles Comprehensive grammar tests, leading to unexpected reboots.
3. CVE-2025-9466: Exploited via EtherNet/IP and CIP grammar tests, causing device reboots.
4. CVE-2025-9278: Identified after a Burp Suite active scan, resulting in lost ICMP connectivity.
5. CVE-2025-9279: Triggered during Achilles EtherNet/IP Step Limit Storm tests, causing reboots.
6. CVE-2025-9280: Detected via Defensics fuzzing, rendering the device unresponsive.
7. CVE-2025-9281: Exploited during Achilles Comprehensive step limit storm tests, leading to reboots.
8. CVE-2025-9282: Triggered during Achilles Comprehensive limited storm tests, causing reboots.
9. CVE-2025-9283: Detected during Achilles EtherNet/IP Step Limits Storms tests, resulting in reboots.
All vulnerabilities are classified under CWE-400 (Uncontrolled Resource Consumption) and share a CVSS v3.1 base score of 7.5, indicating a high risk of exploitation.
---
Impact Assessment
The vulnerabilities pose significant risks to industrial environments, particularly in critical manufacturing sectors where ArmorStart LT devices are deployed. A successful exploit could:
- Disrupt production lines by causing unexpected device reboots or loss of connectivity.
- Impact operational continuity, leading to financial losses and downtime.
- Expose networks to further attacks if combined with other vulnerabilities.
Given the global deployment of these devices, organizations must act swiftly to mitigate risks.
---
Mitigation Steps
Rockwell Automation has not released patches for these vulnerabilities. However, the following mitigation strategies are recommended:
1. Network Segmentation:
- Isolate ArmorStart LT devices from business networks and the internet.
- Use firewalls to restrict access to control system networks.
2. Secure Remote Access:
- If remote access is required, use Virtual Private Networks (VPNs) with the latest security updates.
- Ensure VPNs are configured securely and monitored for suspicious activity.
3. Monitoring and Detection:
- Deploy intrusion detection systems (IDS) to monitor for unusual traffic patterns.
- Regularly audit logs for signs of exploitation attempts.
4. Security Best Practices:
- Follow Rockwell Automation’s SD1768 advisory for detailed guidance.
- Implement defense-in-depth strategies to protect industrial control systems (ICS).
5. Incident Response:
- Develop and test an incident response plan to address potential disruptions.
- Report any suspected malicious activity to CISA for further investigation.
---
Conclusion
The discovery of nine high-severity vulnerabilities in Rockwell Automation ArmorStart LT devices underscores the growing risks facing industrial control systems. While no patches are currently available, organizations can reduce their exposure by implementing network segmentation, secure remote access, and monitoring solutions. As threats to OT security continue to evolve, proactive measures are essential to safeguarding critical infrastructure.
Stay informed about updates from Rockwell Automation and CISA to ensure timely mitigation of these vulnerabilities.
---
References
[^1]: CISA. "[ICSA-26-029-02 Rockwell Automation ArmorStart LT Advisory](https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-02)". Retrieved 2024-10-02.
[^2]: Rockwell Automation. "[SD1768 Security Advisory](https://www.rockwellautomation.com)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html)". Retrieved 2024-10-02.