PatchSiren cyber security CVE debrief
CVE-2025-13824 Rockwell Automation CVE debrief
A vulnerability in Rockwell Automation Micro800 series programmable logic controllers (PLCs) allows remote attackers to cause a denial-of-service condition by sending malformed Common Industrial Protocol (CIP) packets to affected devices. The vulnerability was identified during fuzzing activities and results in the controller entering a hard fault state with a solid red Fault LED, rendering the device unresponsive until power-cycled. After power cycling, the controller enters a recoverable fault state. The CVSS 3.1 score of 7.5 reflects network-based attackability with low complexity and no required privileges or user interaction, resulting in high availability impact. The vulnerability affects Micro820 controllers running firmware V14.011 and prior, as well as Micro850 and Micro870 controllers. Rockwell Automation has issued corrective updates and security best practice guidance for affected deployments.
- Vendor
- Rockwell Automation
- Product
- Micro820
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-18
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-18
- Advisory updated
- 2025-12-18
Who should care
Industrial control system operators, OT security teams, and manufacturing engineers using Rockwell Automation Micro800 series PLCs in production environments. Organizations with remote access to PLC programming interfaces or exposed EtherNet/IP networks face elevated risk. Asset owners in critical infrastructure sectors (energy, water, manufacturing) where Micro800 controllers are deployed for process control should prioritize assessment and remediation. System integrators and maintenance providers supporting Rockwell Automation installations should review client deployments for affected firmware versions.
Technical summary
The vulnerability stems from improper input validation when processing malformed CIP packets. CIP is the core protocol used in EtherNet/IP industrial networks for device configuration, control, and data exchange. The Micro800 series controllers fail to handle certain malformed packet structures gracefully, resulting in an unhandled exception that triggers a hard fault. The hard fault state is indicated by a solid red Fault LED and requires physical intervention (power cycle) to recover. Post-recovery, the controller enters a recoverable fault state that can be cleared through normal operational procedures. The attack vector is network-accessible, requiring no authentication, making exposed controllers particularly vulnerable. This vulnerability class is consistent with historical ICS protocol fuzzing findings where malformed protocol data units cause unexpected state transitions in embedded control devices.
Defensive priority
HIGH
Recommended defensive actions
- Update Micro820 controllers to L20E V23.011 or later (hardware replacement required for affected Micro820 units)
- Update Micro850 and Micro870 controllers to firmware V12.013 or later
- Apply Rockwell Automation security best practices for industrial control systems if immediate patching is not feasible
- Implement network segmentation to limit CIP traffic exposure to authorized engineering workstations and control system networks
- Monitor for unexpected controller fault states and unresponsive behavior in Micro800 series deployments
Evidence notes
Vulnerability disclosed via CISA ICS advisory ICSA-25-352-07 on 2025-12-18. Advisory published by CISA as coordinator. Affected products confirmed through CSAF product tree: Micro820 (V14.011 and prior), Micro850, Micro870. Remediation guidance includes firmware updates and security best practices from vendor.
Official resources
-
CVE-2025-13824 CVE record
CVE.org
-
CVE-2025-13824 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-18