Rockwell Automation’s ControlLogix 5580 family has a newly republished advisory that raises the alarm for industrial operators: a remotely exploitable NULL pointer dereference in firmware version 35.013 can force a major nonrecoverable fault (MNRF) on affected controllers, producing a high-severity availability impact that demands immediate attention. The Cybersecurity and Infrastructure Security Agency (CISA) assigns this issue the identifier CVE‑2025‑9166, calculates a CVSS v4 base score of 8.2, and explicitly warns that the attack vector is network‑accessible with low complexity—meaning defenders should treat this as a high-priority availability risk for production environments. (cisa.gov)
Industrial control systems (ICS) such as the ControlLogix platform are mission‑critical in manufacturing, chemical processing, utilities and many other sectors. Over the past two years Rockwell’s Logix family has accumulated several high‑impact advisories involving malformed CIP, PTP, and other protocol packets that can result in device crashes or MNRFs. This advisory continues that pattern: the vulnerability is not about data disclosure or privilege escalation but about availability — a fundamental safety and operations concern in OT environments. Rockwell’s product advisories and CISA’s ICS advisories have repeatedly emphasized firmware updates and network isolation as the principal remediation paths for these kinds of issues. (rockwellautomation.com, cisa.gov)
CISA’s advisory describes the symptom plainly: the controller repeatedly attempts to forward messages, encounters an unhandled null reference, and enters a state that culminates in a major nonrecoverable fault. Recovery from an MNRF typically requires a restart and a download of the user program — a disruptive operation in production. The CVE assignment (CVE‑2025‑9166) formalizes the finding, and both CVSS v3 and v4 calculations reflect high availability impact. (cisa.gov)
Caveat: the CVE registry page may require interactive access and may not always display full details without JavaScript; rely on vendor and CISA advisories for authoritative remediation guidance in operational contexts. (cve.org, cisa.gov)
The good news is that Rockwell and CISA provide a clear remediation path: update to 35.014 or later, apply network hardening and CIP Security, and adopt detection and incident response practices that are OT‑aware. The operational challenge remains the safe, coordinated deployment of those firmware updates across production environments.
Treat this advisory as an availability emergency: confirm your inventory, isolate exposed controllers, schedule tested updates, and harden detection. In OT environments, availability equals safety and revenue; rapid, conservative action is the right risk management response. (cisa.gov, rockwellautomation.com)
Rockwell Automation reported the issue to CISA and the formal advisory was republished on September 9, 2025; no public exploitation had been reported to CISA at that time, but defenders should not rely on the absence of reported exploitation as a protective guarantee. Follow vendor and national guidance, validate fixes in test environments, and treat the patch cycle as an urgent, coordinated operational priority. (cisa.gov, rockwellautomation.com)
Source: CISA Rockwell Automation ControlLogix 5580 | CISA
Industrial control systems (ICS) such as the ControlLogix platform are mission‑critical in manufacturing, chemical processing, utilities and many other sectors. Over the past two years Rockwell’s Logix family has accumulated several high‑impact advisories involving malformed CIP, PTP, and other protocol packets that can result in device crashes or MNRFs. This advisory continues that pattern: the vulnerability is not about data disclosure or privilege escalation but about availability — a fundamental safety and operations concern in OT environments. Rockwell’s product advisories and CISA’s ICS advisories have repeatedly emphasized firmware updates and network isolation as the principal remediation paths for these kinds of issues. (rockwellautomation.com, cisa.gov)What’s new with this advisory
- The affected SKU is specifically ControlLogix 5580, firmware/software version 35.013.
- The vulnerability class is NULL pointer dereference (CWE‑476), which can trigger uncontrolled faults when the device attempts to dereference a null memory address, commonly leading to crashes or permanent error states that require manual intervention. (cisa.gov)
Technical overview
The vulnerability: NULL pointer dereference (CWE‑476)
A null pointer dereference occurs when software assumes a pointer or reference is valid without checking for a null (empty) value first. In an embedded real‑time environment, such an error inside a protocol handler or message‑forwarding routine can cause the task to fail catastrophically.CISA’s advisory describes the symptom plainly: the controller repeatedly attempts to forward messages, encounters an unhandled null reference, and enters a state that culminates in a major nonrecoverable fault. Recovery from an MNRF typically requires a restart and a download of the user program — a disruptive operation in production. The CVE assignment (CVE‑2025‑9166) formalizes the finding, and both CVSS v3 and v4 calculations reflect high availability impact. (cisa.gov)
Affected versions and scope
- Affected product: ControlLogix 5580.
- Affected firmware/software version: 35.013.
- Corrective advice: update to 35.014 or later. (cisa.gov, rockwellautomation.com)
Exploitability and real‑world attack surface
CISA’s operational summary lists the vulnerability as remotely exploitable with low attack complexity—meaning an unauthenticated attacker who can send crafted network traffic to the controller’s exposed ports could trigger the condition. That assessment depends on network placement and configuration: a properly segmented and firewalled OT network reduces exposure, whereas misconfigurations, exposed management ports, or insufficient segmentation increase risk. No public exploitation events are reported to CISA at the time of publication, but that absence is not a guarantee of safety—rapid weaponization remains possible for network‑accessible DoS conditions. (cisa.gov)Why this matters: operational and safety impact
Availability is the primary safety and business concern in ICS. A controller that enters an MNRF:- Can halt production lines or control loops within seconds.
- May require manual, on‑site recovery that increases mean time to repair (MTTR) and operational risk.
- Could break interlocks or supervisory controls, creating potential safety hazards if recovery steps are rushed or misapplied.
Verification: cross‑referencing the facts
To validate the key technical claims:- CISA’s advisory lists the CVE (CVE‑2025‑9166), classifies the bug as NULL pointer dereference (CWE‑476), and reports CVSS numbers (v3 = 7.5, v4 = 8.2) and the affected version as 35.013. This is the public government advisory and the authoritative summary for U.S. operators. (cisa.gov)
- Rockwell Automation publishes product security advisories for Logix controllers that are consistent with CISA’s guidance: Rockwell’s advisory history shows similar denial‑of‑service issues in Logix controllers and confirms corrective firmware updates for other related CVEs; Rockwell’s general guidance for impacted Logix families recommends specific firmware targets and network mitigations. While Rockwell’s main advisory index page lists multiple SD/SD# advisories, operators must use Rockwell’s product compatibility pages to select the exact firmware download tied to their catalog number and chassis configuration. (rockwellautomation.com)
Caveat: the CVE registry page may require interactive access and may not always display full details without JavaScript; rely on vendor and CISA advisories for authoritative remediation guidance in operational contexts. (cve.org, cisa.gov)
Practical mitigation and remediation checklist
Operators should treat this advisory as a priority for any site that runs ControlLogix 5580 firmware 35.013. The following steps give an operational framework for mitigation and safe remediation.- Immediate triage (first 24–72 hours)
- Inventory: confirm which controllers run 35.013. Use automation where available to avoid manual errors.
- Network isolation: ensure controllers are not reachable from the internet and that management interfaces are not exposed to corporate or external networks. Block unneeded ports at the network edge. CISA reiterates that devices should not be internet‑accessible. (cisa.gov)
- Temporary controls: if practical, implement ACL rules or firewall policies to block suspicious sources and restrict CIP/ENIP traffic to trusted management stations only.
- Apply vendor update (recommended)
- Plan a maintenance window for updating to version 35.014 or later as Rockwell recommends. Validate compatibility of 35.014 with your CPU, I/O modules, and engineering toolset. (cisa.gov, rockwellautomation.com)
- Test on non‑production hardware first: verify controllers return to normal state post‑update and that no regressions appear in logic or communication paths.
- If immediate patching is not possible (compensating controls)
- Reduce attack surface: block or filter the offending protocol/port combinations at the OT perimeter.
- Harden management access: use jump hosts or bastion hosts for controller management; restrict remote VPN endpoints and enforce MFA where possible.
- CIP Security: enable and properly configure CIP Security (if supported) to mitigate unauthorized message injection. Rockwell advisories repeatedly recommend CIP Security as a hardening layer for Logix families. (rockwellautomation.com)
- Post‑remediation verification and monitoring
- Baseline verification: after patching, perform an online program compare and confirm user program integrity. Document the pre‑ and post‑state for forensic reference.
- Telemetry and alerting: monitor for unusual network traffic patterns such as bursts of malformed CIP or Forward Close messages, bursts on related UDP/TCP ports, or repeated controller asserts and reboots. Configure SIEM/SOC workflows to escalate any anomalous OT‑network traffic. (rockwellautomation.com)
- Operational readiness
- Update runbooks: revise incident response runbooks to include steps for MNRF recovery, safe program reload, and human safety checks.
- Staff training: ensure OT technicians and system owners know the signs of MNRF and the correct sequence for controlled recovery to avoid further equipment or process harm.
Detection, monitoring and indicators of compromise
This vulnerability is DoS‑centric rather than a stealth compromise. Still, defenders should instrument detection to rapidly spot exploitation attempts and anomalous conditions.- Network indicators:
- Unusual bursts of CIP (Common Industrial Protocol) packets, particularly malformed or repeated Forward Close messages.
- Repeated traffic to the controller’s EtherNet/IP port from non‑authorized hosts.
- Unexpected UDP traffic on PTP or related ports if those are implicated in the specific environment.
- Device indicators:
- Controller logs showing repeated fault asserts or MNRF conditions.
- Sudden loss of I/O or HMI visibility without corresponding upstream network issues.
- Repeated requests for program re‑download or manual reset events.
Risk analysis: strengths and weaknesses of the vendor/CISA response
Strengths
- Timely disclosure and alignment: Rockwell reported the issue and published corrective firmware guidance; CISA republished the advisory for broader distribution. Both parties present consistent facts about affected versions and remediation paths. This aligns vendor and national‑level guidance for operators. (cisa.gov, rockwellautomation.com)
- Actionable remediation: Rockwell provides a direct corrective version path (35.014 or later) and recommends CIP Security and other network mitigations that are deployable in many environments. (rockwellautomation.com)
Weaknesses and operational friction
- Patching constraints: OTA/firmware updates for PLCs often require planned downtime, safety reviews and regression testing. Pushing a firmware upgrade across large fleets can be slow and risky, which gives attackers a window of opportunity if network controls are insufficient.
- Detection complexity: many OT networks lack robust packet capture and anomaly detection tuned for CIP/ENIP, so early exploitation attempts could be missed if operators rely only on traditional IT telemetry.
- Version proliferation: the Logix family has many closely related CVEs and corrective versions; operators who manage mixed firmware estates must double‑check compatibility matrices and module interdependencies to avoid bricking devices or creating unintended regressions during updates. Rockwell’s advisory pages frequently remind users to consult compatibility matrices before upgrading. (rockwellautomation.com)
Actionable recommendations for system owners
- Prioritize: treat all ControlLogix 5580 instances on 35.013 as high priority for patching to 35.014+. If that is not immediately possible, apply network isolation and tight ACLs as a compensating control. (cisa.gov, rockwellautomation.com)
- Inventory and schedule: compile an accurate firmware inventory and plan staged upgrades, beginning with test rigs and non‑critical lines. Use change windows and staff both OT and safety engineers during upgrades.
- Use defense‑in‑depth: combine network segmentation, CIP Security, hardened management hosts, and continuous monitoring for the best practical risk reduction. CISA and Rockwell both highlight these standard ICS best practices. (cisa.gov, rockwellautomation.com)
- Update policies: ensure firmware and configuration change tracking are part of the organizational patch and change management process, including roll‑back plans and backups of controller projects prior to updates.
- Report anomalies: if you observe suspected exploitation or unusual device behavior, follow established incident reporting channels (including notifying CISA if in the U.S.) to support correlation and community defense. (cisa.gov)
Final assessment and closing analysis
This advisory underscores a recurring and uncomfortable reality: industrial controllers prioritize deterministic behavior and performance, and even modest robustness bugs (a null pointer dereference) can cause catastrophic availability failure when triggered over the network. The combination of remote exploitability and low attack complexity makes CVE‑2025‑9166 a high‑risk operational issue for any site running ControlLogix 5580 firmware 35.013.The good news is that Rockwell and CISA provide a clear remediation path: update to 35.014 or later, apply network hardening and CIP Security, and adopt detection and incident response practices that are OT‑aware. The operational challenge remains the safe, coordinated deployment of those firmware updates across production environments.
Treat this advisory as an availability emergency: confirm your inventory, isolate exposed controllers, schedule tested updates, and harden detection. In OT environments, availability equals safety and revenue; rapid, conservative action is the right risk management response. (cisa.gov, rockwellautomation.com)
Rockwell Automation reported the issue to CISA and the formal advisory was republished on September 9, 2025; no public exploitation had been reported to CISA at that time, but defenders should not rely on the absence of reported exploitation as a protective guarantee. Follow vendor and national guidance, validate fixes in test environments, and treat the patch cycle as an urgent, coordinated operational priority. (cisa.gov, rockwellautomation.com)
Source: CISA Rockwell Automation ControlLogix 5580 | CISA