PatchSiren cyber security CVE debrief
CVE-2025-54811 OpenPLC_V3 CVE debrief
CVE-2025-54811 affects OpenPLC_V3 and was publicly disclosed by CISA on 2025-09-30. The advisory says a flaw in enipThread can lead to a crash when the server loop ends and execution reaches an illegal ud2 instruction, resulting in denial of service for the PLC runtime.
- Vendor
- OpenPLC_V3
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-30
- Original CVE updated
- 2025-09-30
- Advisory published
- 2025-09-30
- Advisory updated
- 2025-09-30
Who should care
Industrial control system operators, OT engineers, integrators, and anyone running or embedding OpenPLC_V3 in production or test environments should treat this as an availability issue with operational impact.
Technical summary
The source advisory describes a missing return value in enipThread. When the server loop ends, execution can reach an illegal ud2 instruction and crash the process. The advisory says the issue can be triggered without authentication by starting the same server multiple times or if the server exits unexpectedly, and that the outcome is a PLC runtime crash that stops automation or control logic. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, indicating a high availability impact.
Defensive priority
High for any OpenPLC_V3 deployment that supports or depends on continuous PLC runtime availability, especially in OT environments where a process crash would halt control logic.
Recommended defensive actions
- Update OpenPLC_V3 to pull request #292 or later from the main GitHub repository, per the advisory remediation.
- Confirm whether your deployed OpenPLC_V3 build includes the fix, especially if you run a fork or custom build.
- Apply OT network segmentation and access controls so only necessary hosts can reach the service.
- Monitor for unexpected server restarts, repeated service starts, and process crashes associated with OpenPLC_V3.
- Validate recovery procedures so PLC runtime restart or failover can be performed quickly if the process stops.
- Review CISA ICS recommended practices and defense-in-depth guidance for additional containment and resilience measures.
Evidence notes
All substantive claims in this debrief come from the supplied CISA CSAF advisory for ICSA-25-273-05 / CVE-2025-54811, its referenced remediation, and the official CVE/CISA resource links provided in the corpus. The source states initial publication on 2025-09-30 and lists pull request #292 as the fix. The advisory narrative describes remote unauthenticated triggering, while the supplied CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H; that discrepancy is preserved rather than resolved.
Official resources
-
CVE-2025-54811 CVE record
CVE.org
-
CVE-2025-54811 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-09-30 in advisory ICSA-25-273-05. No KEV listing was provided in the supplied enrichment data.