CVE-2026-9653: Update ControlLogix EN2/EN3 to V12.002

CISA’s ICSA-26-197-02 identifies a high-severity denial-of-service vulnerability, CVE-2026-9653, affecting three Rockwell Automation ControlLogix EtherNet/IP communication-module families: 1756-EN2, 1756-EN3, and the discontinued 1756-ENBT. The immediate version decision is clear: 1756-EN2 and 1756-EN3 modules running V12.001 or earlier should be updated to V12.002, while affected 1756-ENBT modules running V6.006 have no vendor fix.
Source: CISA, ICSA-26-197-02: Rockwell Automation ControlLogix EtherNet/IP Communication Modules Denial-of-Service Vulnerability. CISA identifies the advisory as its initial publication; this article does not rely on an unsupported publication date.
The advisory describes improper validation of CIP Implicit Connection packets. An attacker with access to the relevant network can send crafted packets that disrupt device connections. CISA states that the connections recover immediately afterward, but repeated triggering can still create a denial-of-service condition by repeatedly interrupting normal connectivity.
That makes this an availability problem first and foremost. The advisory’s CVSS vector supports several important facts: the vulnerability is reachable over a network, has low attack complexity, requires no privileges, requires no user interaction, and affects availability. Those facts do not, by themselves, establish every possible operational outcome at a site. They do establish that organizations should identify exposed affected modules and apply the available firmware fix or make a deliberate local decision about the remaining unpatched hardware.

Industrial cybersecurity dashboard showing a denial-of-service attack targeting a discontinued EtherNet/IP module.A Recovering Connection Is Still a Security Event​

The phrase that connections recover immediately can be easy to misread. Automatic recovery may reduce the duration of a single disruption, but it does not eliminate the availability concern when an attacker can repeat the triggering condition.
CISA rates CVE-2026-9653 as High severity. The vulnerability is not described as a confidentiality or integrity issue, and the advisory does not claim that it enables theft of data, changes to controller logic, or modification of process values. Its stated concern is denial of service through disruption of device connections.
That distinction should guide prioritization. The absence of a confidentiality or integrity impact does not make an availability vulnerability routine, particularly where affected equipment is reachable from networks beyond the small group of systems that need to communicate with it. At the same time, the available CVSS information should not be stretched into predictions about a specific plant’s downtime, production impact, or safety response. Those consequences depend on the local architecture and operating procedures, which are outside the advisory’s stated facts.
CISA reported no known public exploitation specifically targeting this vulnerability at the time of the advisory. That is useful context, but it is not a substitute for identifying affected hardware and acting on the remediation guidance. A lack of known public exploitation does not change the affected versions or add a fix for the discontinued ENBT.

One CVE, Three Product Families, and Two Remediation Paths​

The practical challenge is that the advisory covers three related product families but provides two very different outcomes. The 1756-EN2 and 1756-EN3 have a corrected firmware version. The 1756-ENBT does not.
Product familyAffected firmwareVendor remediationPatch available?Administrative priority
1756-EN3V12.001 and earlierUpdate to V12.002YesIdentify modules and schedule controlled firmware upgrades
1756-EN2V12.001 and earlierUpdate to V12.002YesIdentify modules and schedule controlled firmware upgrades
1756-ENBTV6.006Product discontinued; fix unavailableNoDocument exposure and plan replacement or local compensating controls
This is why exact inventory matters. “We have ControlLogix” is not enough to close the issue. Administrators need the installed module type and firmware revision for each affected deployment. A site may have current controllers, engineering systems, or workstation software while retaining older communication hardware that has remained in service through multiple modernization cycles.
The version decision should come before broader discussions of architecture or risk treatment:
  1. 1756-EN2 and 1756-EN3 at V12.001 or earlier: move to V12.002 through an approved OT change process.
  2. 1756-ENBT at V6.006: recognize that there is no vendor fix and handle the device through local exposure review and replacement planning.
That ordering helps prevent a common failure mode in industrial vulnerability response: spending weeks discussing general controls before confirming whether the affected hardware can simply be updated. For EN2 and EN3 modules, the corrected version is known. For ENBT modules, the security question shifts from patch deployment to lifecycle management.
The ENBT’s discontinued status is important, but it should not be repeated as a slogan in place of a decision. The relevant decision is whether the organization has identified each V6.006 device, understood its reachable network paths, and assigned an owner and timeline for replacement, retirement, or another locally approved risk treatment.

Network Access Is a Relevant Exposure Condition​

CVE-2026-9653 is categorized as CWE-354, Improper Validation of Integrity Check Value. CISA describes the issue as improper validation of CIP Implicit Connection packets. The CVSS vector indicates that network access is required, while also indicating low attack complexity, no required privileges, and no user interaction.
Those characteristics make network reachability a central fact for local risk assessment. They do not mean that every network configuration carries identical exposure, and they do not establish that a particular path exists into a specific operational environment. Each organization must determine which systems can communicate with affected modules and whether those paths are required.
CISA references broader industrial-control-system guidance, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies and ICS-TIP-12-146-01B, Targeted Cyber Intrusion Detection and Mitigation Strategies. Those references provide useful background for organizations reviewing their own control-system defenses. However, this advisory should not be read as a detailed, product-specific CISA mandate for a particular firewall design, remote-access method, or network architecture.
For this vulnerability, inventory and access review are local OT procedures. They should be led by the teams responsible for the affected environment, with engineering, operations, maintenance, and cybersecurity stakeholders involved as appropriate. The objective is straightforward: determine where affected modules are deployed, which connections are necessary for normal operations, and what practical options exist to reduce unnecessary reachability while firmware changes or replacement plans are completed.
A local segmentation review can be valuable, especially for an unpatched legacy device, but its scope should be based on the site’s documented architecture rather than a generic checklist. Changes to network paths, firewall rules, remote connectivity, or management access can have legitimate operational consequences. That is why they require locally approved OT change control, validation, and ownership.

Firmware Upgrades Need an OT Change Plan​

For the EN2 and EN3 families, V12.002 is the vendor’s stated remediation. That makes the firmware update the primary corrective action for affected versions, but it does not make an industrial firmware change equivalent to a routine desktop update.
A controlled OT change process should establish the exact module identity, current firmware version, intended target version, maintenance window, rollback or recovery approach, and post-change validation criteria. The details will vary by site, but the principle is consistent: the update should be planned and recorded as an operational change, not treated as an isolated vulnerability-scanner task.
The advisory supports the firmware decision; local procedures govern execution. A useful change record can include:
  • The chassis and physical location of the affected module.
  • The module family and installed firmware revision.
  • Confirmation that the device is within the affected version range.
  • The planned update to V12.002 for eligible EN2 and EN3 modules.
  • The maintenance owner, operational approver, and validation owner.
  • The locally defined recovery process if the planned change cannot be completed.
  • Confirmation after the maintenance window that the module is operating on the intended firmware revision.
The value of this approach is not bureaucratic completeness for its own sake. It creates a record that distinguishes confirmed remediation from assumed remediation. A device that appears in an asset list without a verified firmware version has not yet been resolved. Likewise, a planned update is not the same as an installed update.
For ENBT systems, the plan should be different because no firmware update can close CVE-2026-9653 on V6.006. The organization should document each affected ENBT module, assign ownership, review local network reachability, and establish a replacement or retirement decision. That plan may involve a longer operational timeline than a firmware update, but it should still have defined milestones rather than remaining an open-ended exception.

Action checklist for admins​

The version decision comes first:
  • 1756-EN2 and 1756-EN3 at V12.001 or earlier: update to V12.002 using a tested and approved OT change process.
  • 1756-ENBT at V6.006: no vendor fix is available; record the asset as unpatched and move it into replacement or locally approved compensating-control planning.
The following are local OT procedures, not advisory-specific CISA mandates:
  • Inventory all deployed 1756-EN2, 1756-EN3, and 1756-ENBT modules, including model, firmware revision, chassis or location, and responsible owner.
  • Verify whether each module falls within the affected firmware range rather than relying on product-family names alone.
  • Schedule EN2 and EN3 updates through normal OT maintenance, approval, recovery, and validation processes.
  • Create a documented lifecycle decision for every affected ENBT module, including replacement, retirement, or an approved interim risk treatment.
  • Review the network paths that can reach affected modules and identify access that is not required for the site’s intended operation.
  • Review remote and administrative access as part of the site’s ordinary OT access-management process.
  • Record the completion status of firmware updates and the current status of each remaining ENBT exception.
This checklist intentionally separates the advisory’s verified version guidance from procedures that must be designed locally. CISA’s advisory identifies the vulnerability, affected products, and remediation status. It does not replace the engineering review required to make changes safely in a specific production environment.

The ENBT Is a Lifecycle Decision, Not Just a Patch Exception​

The 1756-ENBT is the part of this advisory that requires the most management attention because its remediation status cannot be solved by scheduling V12.002. CISA identifies V6.006 as affected, and the product is discontinued with no fix available.
That does not automatically dictate a single replacement date for every facility. Asset replacement decisions can depend on maintenance schedules, approved hardware standards, spares strategy, engineering resources, and the design of the surrounding system. But the absence of a fix does require a decision that is more concrete than “monitor the issue.”
A workable ENBT record should answer several questions:
Decision questionLocal owner should establish
Where is the module?Chassis, site, area, and asset owner
Is the version affected?Confirmation of V6.006
Is a fix available?No; the product is discontinued
What is the interim treatment?Locally approved exposure and access controls
What is the long-term treatment?Replacement, retirement, or redesign decision
When will the decision be revisited?A dated review point and accountable owner
This is a more useful response than repeatedly describing the device as “legacy” or “unpatchable.” The key operational task is to convert that status into an owned lifecycle plan. An unpatched device with no assigned owner, no recorded location, and no replacement decision is materially different from an unpatched device that is tracked, reviewed, and scheduled for retirement.
CISA credits Tyler Lentz of Idaho National Laboratory with reporting the vulnerability. The report is also a reminder that product support status and production service life do not always align. Industrial hardware can remain deployed long after its vendor remediation options have narrowed. That makes asset visibility and lifecycle governance part of vulnerability management, not separate administrative concerns.
The patched EN2 and EN3 modules should not obscure that broader point. They have a clear firmware destination: V12.002. The ENBT does not. Organizations need a process that distinguishes between vulnerable-but-patchable devices and vulnerable devices for which the vendor no longer provides a corrective release.

What This Advisory Actually Requires​

CVE-2026-9653 is a specifically described availability vulnerability. It is not evidence that every affected organization has been compromised, and it is not evidence of impacts beyond the disruption of device connections described in the advisory. The available CVSS information supports a focused conclusion: the flaw is network-reachable, low complexity, requires no privileges or user interaction, and affects availability.
The operational response should be equally focused:
  • CISA’s ICSA-26-197-02 covers affected Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT EtherNet/IP communication modules.
  • CVE-2026-9653 involves improper validation of CIP Implicit Connection packets and can disrupt device connections.
  • Affected 1756-EN2 and 1756-EN3 modules at V12.001 or earlier should be updated to V12.002.
  • Affected 1756-ENBT modules at V6.006 are discontinued and have no vendor fix.
  • Inventory, segmentation review, access review, and replacement planning are local OT procedures that organizations should apply according to their own systems and change-management requirements.
  • The ENBT requires a tracked lifecycle decision because firmware remediation is unavailable.
The forward-looking lesson is not that every industrial advisory demands the same network redesign or emergency maintenance action. It is that organizations need enough asset visibility to identify the precise module and firmware version involved, enough OT governance to deploy available fixes responsibly, and enough lifecycle discipline to handle the equipment that cannot be patched.
For EN2 and EN3 owners, the next step is a controlled move to V12.002 where affected versions are confirmed. For ENBT owners, the next step is to stop treating the lack of a patch as an unresolved technical detail and turn it into a documented replacement or risk-treatment decision. That is how ICSA-26-197-02 becomes a practical improvement in vulnerability management rather than another advisory that is acknowledged but never fully closed.

References​

  1. Primary source: CISA
    Published: 2026-07-16T12:00:00+00:00
 

Back
Top