ControlLogix 5580 35.013 NULL Pointer Dereference: Patch to 35.014 (CVE-2025-9166)

Rockwell Automation’s ControlLogix 5580 family has a newly republished advisory that raises the alarm for industrial operators: a remotely exploitable NULL pointer dereference in firmware version 35.013 can force a major nonrecoverable fault (MNRF) on affected controllers, producing a high-severity availability impact that demands immediate attention. The Cybersecurity and Infrastructure Security Agency (CISA) assigns this issue the identifier CVE‑2025‑9166, calculates a CVSS v4 base score of 8.2, and explicitly warns that the attack vector is network‑accessible with low complexity—meaning defenders should treat this as a high-priority availability risk for production environments.

Background​

Industrial control systems (ICS) such as the ControlLogix platform are mission‑critical in manufacturing, chemical processing, utilities and many other sectors. Over the past two years Rockwell’s Logix family has accumulated several high‑impact advisories involving malformed CIP, PTP, and other protocol packets that can result in device crashes or MNRFs. This advisory continues that pattern: the vulnerability is not about data disclosure or privilege escalation but about availability — a fundamental safety and operations concern in OT environments. Rockwell’s product advisories and CISA’s ICS advisories have repeatedly emphasized firmware updates and network isolation as the principal remediation paths for these kinds of issues. (cisa.gov)

What’s new with this advisory​

• The affected SKU is specifically ControlLogix 5580, firmware/software version 35.013.
• The vulnerability class is NULL pointer dereference (CWE‑476), which can trigger uncontrolled faults when the device attempts to dereference a null memory address, commonly leading to crashes or permanent error states that require manual intervention.

This advisory was republished by CISA on September 9, 2025 and carries guidance consistent with Rockwell’s published mitigations: update to version 35.014 or later where possible, and apply layered OT security best practices when updating immediately is not feasible. (cisa.gov, cisa.gov, cisa.gov, cve.org, cisa.gov)

---

Practical mitigation and remediation checklist​

Operators should treat this advisory as a priority for any site that runs ControlLogix 5580 firmware 35.013. The following steps give an operational framework for mitigation and safe remediation.

• Immediate triage (first 24–72 hours)
• Inventory: confirm which controllers run 35.013. Use automation where available to avoid manual errors.
• Network isolation: ensure controllers are not reachable from the internet and that management interfaces are not exposed to corporate or external networks. Block unneeded ports at the network edge. CISA reiterates that devices should not be internet‑accessible.
• Temporary controls: if practical, implement ACL rules or firewall policies to block suspicious sources and restrict CIP/ENIP traffic to trusted management stations only.
• Apply vendor update (recommended)
• Plan a maintenance window for updating to version 35.014 or later as Rockwell recommends. Validate compatibility of 35.014 with your CPU, I/O modules, and engineering toolset. (cisa.gov, rockwellautomation.com, cisa.gov)
  

  ---

  Risk analysis: strengths and weaknesses of the vendor/CISA response​

  Strengths​

  • Timely disclosure and alignment: Rockwell reported the issue and published corrective firmware guidance; CISA republished the advisory for broader distribution. Both parties present consistent facts about affected versions and remediation paths. This aligns vendor and national‑level guidance for operators. (cisa.gov, cisa.gov, cisa.gov, cisa.gov, cisa.gov, Rockwell Automation ControlLogix 5580 | CISA