PatchSiren cyber security CVE debrief
CVE-2025-13823 Rockwell Automation CVE debrief
A recoverable fault condition exists in the IPv6 stack of Rockwell Automation Micro850 and Micro870 programmable logic controllers. The vulnerability triggers when affected controllers receive multiple malformed IPv6 packets, as discovered during fuzzing activities. The fault is recoverable, indicating the controller can resume normal operation without permanent damage, but successful exploitation results in a high availability impact. The attack vector requires adjacent network access, with low attack complexity and no required privileges or user interaction.
- Vendor
- Rockwell Automation
- Product
- Micro820
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-18
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-18
- Advisory updated
- 2025-12-18
Who should care
Organizations operating Rockwell Automation Micro820, Micro850, or Micro870 programmable logic controllers in industrial control system environments, particularly those with IPv6 enabled on network segments accessible to potential threat actors. Asset owners in critical infrastructure sectors including manufacturing, energy, water, and process industries should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the IPv6 networking stack implementation of Rockwell Automation Micro850 and Micro870 controllers. When these controllers process multiple malformed IPv6 packets, a recoverable fault condition occurs. The issue was identified through fuzzing, a security testing technique that involves sending unexpected or malformed inputs to identify implementation weaknesses. The fault condition affects availability but is recoverable, meaning the controller can return to normal operation. The attack requires adjacent network access (AV:A), indicating the attacker must be on the same network segment as the target controller. No authentication, privileges, or user interaction are required to trigger the condition.
Defensive priority
medium
Recommended defensive actions
- Update Micro820 controllers from V14.011 and prior to newer Micro820 controllers (L20E V23.011 or later)
- Update Micro850/870 controllers to V12.013 or later
- Disable IPv6 functionality if not required for operations
- Follow Rockwell Automation security best practices if unable to upgrade
- Review Rockwell Automation advisory SD1766 for additional guidance
Evidence notes
CISA published advisory ICSA-25-352-07 on 2025-12-18 identifying this vulnerability in Rockwell Automation Micro820, Micro850, and Micro870 controllers. The source specifically notes the IPv6 stack issue was found during fuzzing with malformed packets causing recoverable faults. CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H confirms adjacent network attack vector with availability impact only.
Official resources
-
CVE-2025-13823 CVE record
CVE.org
-
CVE-2025-13823 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-18