CISA 2026-06-16

Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP

CVE-2026-11317

Machine-generated analysis · WAYSCloud LLM

Devices with less memory are more likely to experience a major nonrecoverable fault when a crafted CIP message is sent.

Context

The advisory addresses Rockwell Automation Logix 5370 and 5570 controllers, which are industrial control system devices used in critical manufacturing. The vulnerability stems from improper resource shutdown or release when processing a crafted CIP message, leading to a denial-of-service condition and potential major nonrecoverable fault (MNRF). Recovery requires a program download. The advisory explicitly notes that devices with less memory are more likely to be affected.

Operator considerations

Check: Inventory CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers running versions listed as affected.
Patch: Update CompactLogix 5370 to version 34.016 or later, Compact GuardLogix 5370 to 35.015 or later, ControlLogix 5570 to 36.012 or later, and GuardLogix 5570 to 37.011 or later.
Log: Monitor for unexpected CIP traffic patterns that could indicate exploitation attempts, based on the attack vector described.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability could cause a denial-of-service condition that may result in a major nonrecoverable fault (MNRF).

The following versions of Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP are affected:

CompactLogix 5370

Read the full advisory on CISA →