Rockwell Automation has identified a security vulnerability in a number of its products, potentially exposing them to remote exploitation by malicious actors. The products in question belong to Rockwell’s 1756 series of communication modules.
Exploiting this vulnerability, malicious actors could remotely access the running memory of the affected module and perform malicious activities. The issue has been labeled an “out-of-bounds write vulnerability” with a Common Vulnerability Scoring System (CVSS) score of 9.8, indicating a critical threat.
Among the affected products are various versions of the 1756-EN2T, 1756-EN2TK, and 1756-EN2TXT series, among others. Successful exploitation of the vulnerability could allow cybercriminals to gain remote access and modify, deny, and exfiltrate data passing through the device.
A second vulnerability found in the 1756-EN4* products allows for a denial-of-service condition to be instigated, interrupting regular service. This vulnerability has been assigned a slightly lower CVSS score of 7.5.
Rockwell Automation discovered these vulnerabilities and promptly reported them to the Cybersecurity and Infrastructure Security Agency (CISA). The firm’s products are deployed worldwide and are crucial in critical manufacturing infrastructure.
In response, Rockwell Automation has released updated versions of the vulnerable firmware. Users are strongly encouraged to update their equipment to these latest versions to mitigate risk. The update process involves a standard firmware update, with special attention drawn to updating signed firmware versions whenever possible.
In addition, CISA recommends a number of measures to further secure ControlLogix communication modules from exploitation. These include network segmentation, which would restrict a cyber actor’s network connectivity to the communication module. Organizations are also advised to implement detection signatures, monitoring for anomalous packets sent to Rockwell Automation devices.
While no known public exploits specifically target these vulnerabilities, both Rockwell Automation and CISA advise users to perform proper risk assessments before deploying defensive measures. For more detailed information, see Rockwell Automation’s Security Advisory and CISA’s recommended practices.
Concerned organizations should report suspected malicious activity to CISA for tracking and correlation against other incidents.