PatchSiren cyber security CVE debrief
CVE-2025-24478 Rockwell Automation CVE debrief
CVE-2025-24478 is a denial-of-service vulnerability in Rockwell Automation GuardLogix 5380 and 5580 controllers. According to CISA’s advisory, a remote, non-privileged user can send malicious requests that trigger a major nonrecoverable fault, taking the affected controller out of service. Rockwell and CISA recommend updating to the fixed versions and applying OT access controls where possible.
- Vendor
- Rockwell Automation
- Product
- GuardLogix 5580 (SIL 3 with the safety partner 3)
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-04
- Original CVE updated
- 2025-02-18
- Advisory published
- 2025-02-04
- Advisory updated
- 2025-02-18
Who should care
OT/ICS security teams, plant operators, system integrators, and maintenance staff responsible for Rockwell Automation GuardLogix 5380 or 5580 SIL 3 controllers. This matters most in environments where controller availability is safety- or production-critical.
Technical summary
CISA’s CSAF advisory ICSA-25-035-02 describes a DoS condition affecting eight product/version combinations across GuardLogix 5580 (SIL 3 with the safety partner 3) and Compact GuardLogix 5380 SIL 3. The issue can be reached by a remote, non-privileged actor sending malicious requests, resulting in a major nonrecoverable fault and loss of availability. Affected versions are listed as below V33.017, V34.014, V35.013, or V36.011, depending on the product line. The advisory was initially published on 2025-02-04 and updated on 2025-02-18 (Update A) to revise the title, product list, and versions.
Defensive priority
Medium by CVSS (6.5), but higher operational priority in production OT environments because the affected controllers can fault and stop service. Treat as a prompt remediation item for any site using the listed versions.
Recommended defensive actions
- Upgrade to the fixed versions listed in the advisory: V33.017, V34.014, V35.013, or V36.011, or later as applicable to the installed product.
- Restrict access to the task object using CIP Security and Hard Run, as recommended by the advisory.
- Apply Rockwell Automation’s published security best practices and CISA ICS recommended practices to reduce exposure while patching is planned.
- Use environment-specific prioritization methods such as CISA SSVC to rank affected systems and schedule remediation in a controlled maintenance window.
Evidence notes
Primary evidence comes from CISA’s CSAF advisory ICSA-25-035-02 (published 2025-02-04, Update A on 2025-02-18), which names the affected Rockwell Automation GuardLogix 5380 and 5580 products, lists the fixed versions, and describes the remote non-privileged DoS condition. The CVE record is also linked in the official references. No exploit details beyond the advisory description are included.
Official resources
-
CVE-2025-24478 CVE record
CVE.org
-
CVE-2025-24478 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-02-04. CISA issued Update A on 2025-02-18 to update the title, product list, and versions.