PatchSiren cyber security CVE debrief
CVE-2025-11743 Rockwell Automation CVE debrief
Rockwell Automation CompactLogix 5370 has a denial-of-service vulnerability that can be triggered by a malformed CIP forward open message. According to the CISA advisory, the condition can cause a major nonrecoverable fault and require a restart to recover. Rockwell provides fixed versions for affected branches, and CISA also points readers to Rockwell security guidance for systems that cannot be upgraded immediately.
- Vendor
- Rockwell Automation
- Product
- CompactLogix 5370
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-22
- Original CVE updated
- 2026-01-22
- Advisory published
- 2026-01-22
- Advisory updated
- 2026-01-22
Who should care
OT and ICS operators using CompactLogix 5370 controllers, plant engineers, control-system administrators, and security teams responsible for Rockwell Automation environments should review this advisory, especially where controller availability is critical.
Technical summary
The advisory describes an availability-impacting flaw in the CompactLogix 5370 product line. A malformed CIP forward open message can lead to a major nonrecoverable fault, resulting in denial of service until the device is restarted. The supplied CVSS vector is AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with a medium-severity availability-only issue. Rockwell lists fixed versions as 34.016, 35.015, 36.012, and 37.011 and later, depending on the product branch.
Defensive priority
Medium severity, high operational priority for OT environments because the issue can force a restart and interrupt controller availability.
Recommended defensive actions
- Identify whether any CompactLogix 5370 deployments are running versions earlier than the applicable fixed release for their branch.
- Upgrade to the Rockwell Automation fixed versions listed in the advisory: 34.016, 35.015, 36.012, or 37.011 and later, as applicable.
- If upgrading is not immediately possible, follow Rockwell Automation's security best practices referenced in the advisory.
- Review network exposure and limit access to industrial control protocols to trusted, necessary systems only.
- Validate backup, recovery, and restart procedures so affected controllers can be restored quickly if a fault occurs.
Evidence notes
CISA's CSAF advisory for ICSA-26-022-03 states that the affected product is vulnerable to a denial-of-service issue when a malformed CIP forward open message is sent, and that this can cause a major nonrecoverable fault requiring restart. The supplied CVSS vector is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H with a score of 6.5. The remediation section lists fixed versions 34.016, 35.015, 36.012, and 37.011 and later, plus a fallback recommendation to use Rockwell security best practices if upgrade is not possible.
Official resources
-
CVE-2025-11743 CVE record
CVE.org
-
CVE-2025-11743 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-01-22 and the source corpus describes it as an initial republication of Rockwell Automation SD1770.