PatchSiren cyber security CVE debrief
CVE-2025-14027 Rockwell Automation CVE debrief
CVE-2025-14027 covers multiple denial-of-service weaknesses in Rockwell Automation ControlLogix Redundancy Enhanced Modules 1756-RM2 and 1756-RM2XT firmware. According to the CISA CSAF advisory, crafted inputs such as malformed Class 3 messages, memory leak conditions, and other resource-exhaustion scenarios can cause the device to become unresponsive and, in some cases, trigger a major nonrecoverable fault. Recovery may require a restart. Rockwell’s stated mitigation is to upgrade from 1756-RM2 to 1756-RM3; if that is not possible, apply security best practices and defense-in-depth controls.
- Vendor
- Rockwell Automation
- Product
- ControlLogix Redundancy Enhanced Module Catalog 1756-RM2 Firmware
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
Industrial control system operators, OT network defenders, plant engineers, system integrators, and asset owners using Rockwell ControlLogix 1756-RM2 or 1756-RM2XT redundancy modules should prioritize this advisory because it affects availability and may disrupt controller redundancy or recovery workflows.
Technical summary
The advisory describes availability-only impact in firmware for ControlLogix redundancy enhanced modules. The issues are reachable through crafted network inputs, including malformed Class 3 messages and resource-exhaustion conditions, and can lead to unresponsiveness or a major nonrecoverable fault. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, matching a network-reachable, unauthenticated denial-of-service condition with high availability impact.
Defensive priority
High for affected OT environments. Even though the issue is limited to availability, the affected modules sit in control-system infrastructure where loss of responsiveness or a fault can disrupt operations and recovery may require a restart.
Recommended defensive actions
- Upgrade from 1756-RM2 to 1756-RM3 as recommended by Rockwell Automation.
- If upgrading is not immediately possible, apply Rockwell and CISA industrial control system security best practices and defense-in-depth measures.
- Limit exposure of affected modules to only necessary, trusted OT network paths and authorized maintenance traffic.
- Review monitoring and incident response procedures for signs of module unresponsiveness, resource exhaustion, or fault conditions.
- Validate recovery procedures, spare-part availability, and restart planning for affected environments.
- Track Rockwell advisory SD1769 and the CISA advisory for any updated remediation guidance.
Evidence notes
The source corpus is a CISA CSAF advisory republishing Rockwell Automation advisory SD1769 on 2026-01-29. The corpus explicitly states the affected products, the denial-of-service mechanism classes, the likely operational outcome, and the primary mitigation path. It also includes official Rockwell remediation URLs and CISA guidance links for ICS recommended practices and defense in depth. The supplied enrichment marks this issue as not listed in CISA KEV.
Official resources
-
CVE-2025-14027 CVE record
CVE.org
-
CVE-2025-14027 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-01-29 and republished Rockwell Automation advisory SD1769 as ICSA-26-029-03. The supplied enrichment does not mark this CVE as a CISA Known Exploited Vulnerability. No exploit code or weaponized guidance