---
title: "Rockwell Automation Controllers Hit by Critical Denial-of-Service Vulnerabilities"
short_title: "Rockwell Automation controllers face DoS flaws"
description: "Two critical vulnerabilities in Rockwell Automation Micro820, Micro850, and Micro870 controllers could trigger denial-of-service conditions. Learn mitigation steps now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [rockwell-automation, cve-2025-13823, cve-2025-13824, dos, ics-security]
score: 0.78
cve_ids: [CVE-2025-13823, CVE-2025-13824]
---
TL;DR
Rockwell Automation’s Micro820, Micro850, and Micro870 controllers are vulnerable to two critical flaws (CVE-2025-13823 and CVE-2025-13824) that could cause denial-of-service (DoS) conditions. Exploitation involves malformed IPv6 or CIP packets, leading to system crashes. Users are urged to apply patches or disable vulnerable features immediately.
---
Main Content
Rockwell Automation, a global leader in industrial automation, has disclosed two critical vulnerabilities affecting its Micro820, Micro850, and Micro870 controllers. These flaws, if exploited, could disrupt operations in critical manufacturing sectors worldwide by triggering denial-of-service (DoS) conditions. The vulnerabilities highlight the growing risks facing industrial control systems (ICS) and the urgent need for robust cybersecurity measures.
Key Points
- Vulnerabilities Identified: CVE-2025-13823 (IPv6 stack issue) and CVE-2025-13824 (CIP packet handling flaw) affect Rockwell Automation’s Micro820, Micro850, and Micro870 controllers.
- Impact: Successful exploitation could lead to recoverable or hard faults, causing system unresponsiveness and operational downtime.
- Affected Systems: Controllers running Micro820 (≤V14.011), Micro850, and Micro870 firmware versions.
- Mitigation: Rockwell Automation has released patches and recommends disabling IPv6 if not required. Users unable to update should follow security best practices.
---
Technical Details
#### CVE-2025-13823: IPv6 Stack Vulnerability
This vulnerability stems from improper handling of malformed IPv6 packets. During fuzzing tests, controllers received multiple malformed packets, triggering a recoverable fault. While the system can recover, repeated exploitation could lead to prolonged disruptions. The flaw is classified as CWE-1395 (Dependency on Vulnerable Third-Party Component) and has a CVSS score of 6.5 (Medium).
#### CVE-2025-13824: CIP Packet Handling Flaw
This issue involves the improper handling of malformed Common Industrial Protocol (CIP) packets. When exploited, the controller enters a hard fault, indicated by a solid red Fault LED, and becomes unresponsive. A power cycle is required to restore functionality. This vulnerability is classified as CWE-763 (Release of Invalid Pointer or Reference) and has a CVSS score of 7.5 (High).
---
Impact Assessment
The vulnerabilities pose significant risks to industries reliant on Rockwell Automation controllers, particularly in critical manufacturing sectors. A successful DoS attack could lead to:
- Operational Downtime: Unresponsive controllers may halt production lines, causing financial losses.
- Safety Risks: Disruptions in industrial environments could compromise safety protocols.
- Supply Chain Disruptions: Prolonged outages may impact global supply chains, given the widespread deployment of these controllers.
While no active exploitation has been reported, the high severity of CVE-2025-13824 and the global deployment of affected systems underscore the urgency of addressing these flaws.
---
Mitigation Steps
Rockwell Automation has provided the following recommendations to mitigate risks:
1. Apply Patches:
- Micro820 users: Upgrade to L20E V23.011 or later.
- Micro850/870 users: Update to V12.013 or later.
- Download updates from the [Rockwell Automation website](https://www.rockwellautomation.com).
2. Disable IPv6: If IPv6 functionality is not required, disable it to mitigate CVE-2025-13823.
3. Follow Security Best Practices:
- Isolate control system networks from business networks using firewalls.
- Minimize network exposure for control system devices.
- Use secure remote access methods, such as VPNs, and ensure they are up-to-date.
4. Review Rockwell Automation’s Advisory: For detailed guidance, refer to the [official advisory](https://www.rockwellautomation.com/en-us/support/advisory).
---
Affected Systems
The following Rockwell Automation controllers are affected:
- Micro820: All versions ≤V14.011.
- Micro850: All versions prior to V12.013.
- Micro870: All versions prior to V12.013.
---
Conclusion
The discovery of these vulnerabilities in Rockwell Automation’s controllers serves as a critical reminder of the importance of securing industrial control systems. Organizations must prioritize patching and implementing defensive measures to prevent potential disruptions. As ICS threats evolve, proactive cybersecurity strategies—such as network segmentation, regular updates, and adherence to best practices—are essential to safeguarding critical infrastructure.
For further details, review the [CISA advisory](https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-07) and Rockwell Automation’s recommendations.
---
References
[^1]: CISA. "[ICSA-25-352-07 Rockwell Automation Micro820, Micro850, and Micro870 Vulnerabilities](https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-07)". Retrieved 2025-01-24.
[^2]: Rockwell Automation. "[Security Advisory for Micro820, Micro850, and Micro870 Controllers](https://www.rockwellautomation.com/en-us/support/advisory)". Retrieved 2025-01-24.
[^3]: NIST. "[CVE-2025-13823 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-13823)". Retrieved 2025-01-24.
[^4]: NIST. "[CVE-2025-13824 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-13824)". Retrieved 2025-01-24.