PatchSiren cyber security CVE debrief
CVE-2025-9278 Rockwell Automation CVE debrief
CVE-2025-9278 is a denial-of-service issue in Rockwell Automation ArmorStart LT. According to the advisory text, running a Burp Suite active scan can cause the device to lose ICMP connectivity, which then makes the web application inaccessible. CISA republished the vendor advisory on 2026-01-29 as ICSA-26-029-02.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
OT/ICS asset owners, control-system engineers, plant operators, and defenders responsible for Rockwell Automation ArmorStart LT 290D, 291D, and 294D devices should pay attention, especially if the devices are reachable from trusted or shared networks used for administration or testing.
Technical summary
The advisory describes an availability-only impact: the device can enter a denial-of-service condition after an active web scan, with ICMP connectivity lost and the web interface becoming inaccessible. The supplied CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting network reachability and high availability impact without confidentiality or integrity impact. CISA lists affected products as ArmorStart LT 290D, 291D, and 294D. Remediation guidance states there is no patch or upgrade available at this time; Rockwell Automation instead recommends applying security best practices.
Defensive priority
High for environments that rely on these devices for operations or remote management. Because the issue can make the web application inaccessible and disrupt device reachability, operators should treat it as an operational availability risk and avoid routine active scanning against production units.
Recommended defensive actions
- Avoid running aggressive active scanners against production ArmorStart LT devices until validated in a lab or maintenance window.
- Limit network exposure to the device management interface and keep access restricted to trusted administrative networks.
- Apply Rockwell Automation's recommended security best practices and the broader CISA ICS recommended practices to reduce operational risk.
- Monitor affected devices for loss of ICMP reachability or web-interface availability after maintenance, scanning, or troubleshooting activity.
- Coordinate with the vendor advisory SD1768 and track for any future patch or upgrade guidance.
Evidence notes
All statements are drawn from the supplied CISA CSAF source item and its listed remediations and references. The advisory description explicitly says that a Burp Suite active scan can cause the device to lose ICMP connectivity and make the web application inaccessible. The source also lists affected products as ArmorStart LT 290D, 291D, and 294D, and states that no patch or upgrade is available at this time. Timing context uses the supplied CVE published/modified date of 2026-01-29T07:00:00.000Z; no earlier disclosure date was provided in the corpus.
Official resources
-
CVE-2025-9278 CVE record
CVE.org
-
CVE-2025-9278 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed via the CISA CSAF republishing of Rockwell Automation advisory SD1768 on 2026-01-29 (ICSA-26-029-02).