CISA flags two Rockwell CompactLogix 5370 DoS flaws
For contractors running CompactLogix, the advisory collapses to inventory, segmentation, and a maintenance window for V38.011.
TL;DR
CISA published a Rockwell Automation advisory for CVE-2025-11694 and CVE-2026-9307, affecting CompactLogix 5370 L1, L2 and L3 controllers before V38.011. Contractors, primes and ISVs operating or supporting critical manufacturing sites should treat this as an availability patch: exposed CIP Connection IDs on unauthenticated diagnostics pages can help an attacker build denial-of-service packets. CISA says it has no reports of public exploitation.
CISA’s advisory is routine, but the failure mode is concrete. The affected Rockwell Automation CompactLogix 5370 L1, L2 and L3 controllers are known affected before V38.011. CVE-2025-11694 involves missing validation of sequence numbers and source IP addresses in the Common Industrial Protocol (CIP); CVE-2026-9307 exposes CIP Connection IDs on the controller web server’s diagnostics page to unauthenticated network users. Those identifiers can be used to construct malicious packets, leading to denial of service. Rockwell’s mitigation is V38.011, and CISA repeats standard industrial-control advice: minimize controller network exposure, separate control systems from business networks, and assess operational impact before deploying defensive changes. CISA says it has no reports of known public exploitation. For contractors, primes and ISVs supporting critical manufacturing, this is a maintenance-window decision now, before an exposed controller turns a routine advisory into production downtime.
Published ·Deep Fathom