CVE-2024-8626 Rockwell Automation CVE debrief

Who should care

OT security teams, plant engineers, and asset owners operating Rockwell Automation Logix controllers in manufacturing, critical infrastructure, and process control environments. Organizations with remote or unmanned facilities face elevated operational risk due to the physical recovery requirement.

Technical summary

The vulnerability stems from a memory leak condition in the web server component of affected Logix controllers. Repeated HTTP requests to specific webpages consume available memory without proper deallocation, eventually exhausting system resources and causing complete device failure. Recovery requires physical power cycling as the device becomes unresponsive to network or local management commands. The attack vector is network-accessible with no authentication required, though the scope change (S:C) in CVSS indicates impact extends beyond the vulnerable component to the host controller.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor firmware updates: CompactLogix 5380/GuardLogix 5380/CompactLogix 5480/ControlLogix 5580/GuardLogix 5580 to v33.015+ or v34.011+; 1756-EN4TR to v4.001+
• If patching is not immediately feasible, implement network segmentation to restrict access to controller web interfaces
• Monitor for anomalous traffic patterns targeting controller management webpages
• Review and apply Rockwell Automation security best practices guidance
• Plan for operational continuity given recovery requires physical power cycling of affected devices

Evidence notes

CISA CSAF advisory ICSA-24-284-18 published 2024-10-10 confirms memory leak root cause, webpage-based attack vector, and power-cycle recovery requirement. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (8.6) reflects network attack surface with availability impact. Six distinct product IDs affected with version-specific remediation paths.

Official resources