CISA has released ICSA-26-197-06, detailing critical vulnerabilities affecting Rockwell Automation's Logix controller families. For defenders in Operational Technology (OT), this is a high-priority event. The identified vulnerabilities (CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698) impact the core logic of CompactLogix, ControlLogix, and GuardLogix controllers.
Successful exploitation allows an unauthenticated attacker to send specially crafted Common Industrial Protocol (CIP) messages, triggering a Denial-of-Service (DoS) condition. In an industrial environment, DoS isn't just downtime—it's a safety hazard. We need to move from awareness to containment immediately.
Technical Analysis
Affected Products & Versions The vulnerabilities span multiple generations of the Logix platform:
- CompactLogix 5370 & ControlLogix 5570 (and Guard variants): Firmware versions V35.015 and earlier.
- CompactLogix 5380 & Compact GuardLogix 5380: Firmware versions V34.012 and earlier, and V35.011 and earlier.
Vulnerability Mechanics The three CVEs identified (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) primarily relate to improper input validation or error handling within the CIP implementation of the controller.
- Attack Vector: An attacker requires network access to the EtherNet/IP port (TCP/44818) of the targeted controller. No authentication is required.
- Impact: Upon receiving the malicious packet, the controller's CPU faults or enters a state where it ceases processing logic. This results in a Major Fault type, requiring an operator intervention (power cycle or mode switch) to restore operations.
- Exploitation Status: While public exploit code is not explicitly detailed in the advisory as "in-the-wild" at this moment, the technical barrier to entry for crafting CIP DoS packets is low. The presence of these CVEs in CISA advisories usually signals a high likelihood of weaponization in the near term. We must assume active scanning is already underway.
Detection & Response
Detecting attacks against PLCs requires visibility into the industrial protocols. Standard IT EDR agents often cannot see the payload inside CIP packets. However, we can detect the initiation of these attacks by monitoring network connections from Engineering Workstations and unauthorized assets targeting the controllers.
The following detection rules focus on identifying unexpected traffic patterns attempting to interact with the EtherNet/IP stack on these critical controllers.
---
title: Potential CIP DoS Attack - Suspicious Process Connection to Port 44818
id: a1b2c3d4-5678-490a-bcde-1234567890ab
status: experimental
description: Detects non-standard processes attempting to connect to TCP port 44818 (EtherNet/IP). Valid connections should originate from Rockwell engineering software like Studio 5000 or RSLinx.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-06
author: Security Arsenal
date: 2026/07/15
tags:
- attack.impact
- attack.t0815
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 44818
Initiated: 'true'
filter_legit_tooling:
Image|contains:
- '\Studio 5000\'
- '\RSLinx\'
- '\FactoryTalk\'
condition: selection and not filter_legit_tooling
falsepositives:
- Third-party OPC servers or historians communicating with Logix controllers.
- Custom scripts used for legitimate HMI functionality.
level: high
---
title: High Volume CIP Traffic - Potential Flood DoS Attempt
id: b2c3d4e5-6789-490a-bcde-2345678901bc
status: experimental
description: Detects a high volume of connection attempts or established connections to TCP 44818 from a single source IP, indicative of a flood or DoS attempt against Logix controllers.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-06
author: Security Arsenal
date: 2026/07/15
tags:
- attack.impact
- attack.t0815
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 44818
timeframe: 1m
condition: selection | count() > 50
falsepositives:
- HMI polling storms during rapid process changes.
- Legitimate bulk data logging operations.
level: medium
**KQL (Microsoft Sentinel / Defender)**
This query hunts for external devices or unexpected internal hosts connecting to the controllers on the EtherNet/IP port.
DeviceNetworkEvents
| where RemotePort == 44818
| where ActionType in ("ConnectionAccepted", "ConnectionAttempted")
| summarize count() by DeviceName, InitiatingProcessFileName, RemoteIP, bin(TimeGenerated, 5m)
| where count_ > 10
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, count_
| sort by count_ desc
**Velociraptor VQL**
This artifact hunts for active network connections on the engineering workstation to the critical CIP port.
-- Hunt for connections to EtherNet/IP port (44818)
SELECT F.Addr, F.Port, Pid, Name, CommandLine
FROM listen_network_connections()
WHERE Port = 44818
AND Name NOT =~ 'RSLinx.exe'
AND Name NOT =~ 'Studio5000.exe'
**Remediation Script (PowerShell)**
This script assists in identifying active connections to the OT network from a Windows-based engineering workstation, useful for triage before patching.
# Audit connections to Rockwell Automation Controllers (Port 44818)
# Run on Engineering Workstations or Jump Servers.
$TargetPort = 44818
$Connections = Get-NetTCPConnection -RemotePort $TargetPort -ErrorAction SilentlyContinue
if ($Connections) {
Write-Host "[!] Found active connections to Port $TargetPort (EtherNet/IP):" -ForegroundColor Yellow
foreach ($Conn in $Connections) {
try {
$Process = Get-Process -Id $Conn.OwningProcess -ErrorAction Stop
[PSCustomObject]@{
RemoteIP = $Conn.RemoteAddress
RemotePort = $Conn.RemotePort
State = $Conn.State
ProcessName = $Process.ProcessName
PID = $Process.Id
Path = $Process.Path
} | Format-List
}
catch {
Write-Host "Could not resolve process for PID $($Conn.OwningProcess)"
}
}
} else {
Write-Host "[+] No active connections to Port $TargetPort detected." -ForegroundColor Green
}
Remediation
1. Patch Management (Primary Mitigation) Apply the firmware updates released by Rockwell Automation immediately. Coordinate downtime with operations, as these updates require controller reprogramming or firmware flashes.
- CompactLogix 5370 / ControlLogix 5570 / GuardLogix 5570: Upgrade to firmware version V35.016 or later.
- CompactLogix 5380 / Compact GuardLogix 5380: Upgrade to firmware version V35.012 or later.
Refer to the official Rockwell Automation Knowledgebase (linked in the CISA advisory) for specific download URLs and release notes for each controller family.
2. Network Segmentation & Firewalling Until patching is complete, enforce strict firewall rules:
- Block inbound TCP/44818 access to Logix controllers from any unauthorized subnet, specifically the corporate IT network and the internet.
- Ensure connections are only permitted from dedicated Engineering Workstations and HMIs on a dedicated Purdue Level 2/3 zone.
3. Intrusion Detection Systems (IDS)
Update your IDS signatures (e.g., Snort/Suricata) to detect the specific packet anomalies associated with CVE-2025-12011 and CVE-2025-11698. Monitor for alerts regarding "CIP Invalid Request" or "Malformed CIP Packet" targeting your controller subnets.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.