Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP (CVE-2026-11317)

What Happened

A vulnerability has been discovered in certain Rockwell Automation controllers used in manufacturing and industrial settings. If an attacker sends a specially crafted network message to an affected device, it can cause the device to crash and enter a fault state that requires manual reprogramming to fix. This matters because it could disrupt critical manufacturing processes. Organizations using these controllers should update their device software to the latest versions provided by Rockwell Automation and ensure the devices are not directly accessible from the internet.

Key Takeaways

• Rockwell Automation Logix 5370 and 5570 controllers are vulnerable to a Denial of Service (DoS) attack via crafted CIP messages.
• Successful exploitation causes a major nonrecoverable fault (MNRF), requiring a manual program download to recover the device.
• Devices with less memory are more susceptible to this vulnerability.
• Rockwell Automation has released firmware updates to remediate the issue.
• No known public exploitation has been reported at this time.

Affected Systems

• Rockwell Automation CompactLogix 5370 (<=34.016)
• Rockwell Automation Compact GuardLogix 5370 (<=35.015)
• Rockwell Automation ControlLogix 5570 (<=35.015)
• Rockwell Automation GuardLogix 5570 (36.012)

Vulnerabilities (CVEs)

• CVE-2026-11317

Attack Chain

An attacker with network access to the vulnerable Rockwell Automation controllers sends a crafted Common Industrial Protocol (CIP) message. The controller improperly handles the resource shutdown or release, leading to a memory fault. This triggers a major nonrecoverable fault (MNRF), causing a denial-of-service condition that halts operations until a program download is manually performed by an operator.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries were provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on Rockwell Automation PLCs or industrial controllers. Network Visibility: Medium — Detecting crafted CIP messages requires OT-specific deep packet inspection (DPI) capabilities capable of parsing industrial protocols. Detection Difficulty: Hard — Identifying malicious CIP messages among legitimate industrial traffic requires specialized OT network monitoring and baseline profiling.

Required Log Sources

• OT Network IDS/IPS
• ICS/SCADA network monitoring logs

Hunting Hypotheses

Control Gaps

• Lack of OT network segmentation
• Direct internet exposure of ICS devices
• Insufficient OT network deep packet inspection

Key Behavioral Indicators

• Unexpected controller reboots or transitions to a major nonrecoverable fault (MNRF) state

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Evaluate applying the vendor-provided firmware updates for affected CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers.

Infrastructure Hardening

• Minimize network exposure for all control system devices and ensure they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls, isolating them from business networks.
• If remote access is required, consider implementing secure methods such as Virtual Private Networks (VPNs) and ensure they are fully patched.

User Protection

• N/A

Security Awareness

• Ensure OT operators are aware of the MNRF recovery procedures (program download) in the event of a controller fault.

MITRE ATT&CK Mapping

• T0814 - Denial of Service
• T0869 - Standard Application Layer Protocol