PatchSiren cyber security CVE debrief
CVE-2025-9279 Rockwell Automation CVE debrief
CVE-2025-9279 is a denial-of-service issue affecting Rockwell Automation ArmorStart LT products. In the CISA-republished advisory, the device can reboot unexpectedly during Achilles EtherNet/IP Step Limit Storm testing, which drops the Link State Monitor for several seconds. CISA’s source material lists no patch or upgrade at the time of publication and recommends applying security best practices as a mitigation.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
Industrial control system operators, plant engineers, OT security teams, and asset owners using ArmorStart LT 290D, 291D, or 294D should review this issue, especially where an unexpected reboot could affect availability or monitoring.
Technical summary
The advisory describes an availability impact in ArmorStart LT: during Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly and the Link State Monitor goes down for several seconds. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with a network-reachable, low-complexity denial-of-service condition with no confidentiality or integrity impact stated. The source corpus does not provide a patch or upgrade, only mitigation guidance based on security best practices.
Defensive priority
High for affected OT environments because the issue can interrupt device availability and monitoring, and no patch or upgrade was listed in the advisory at publication. Even though the impact is limited to denial of service, availability loss in industrial settings can be operationally significant.
Recommended defensive actions
- Identify whether any ArmorStart LT 290D, 291D, or 294D units are deployed in your environment.
- Review Rockwell Automation’s advisory SD1768 and CISA’s republished advisory for the product scope and mitigation guidance.
- Apply vendor-recommended security best practices to reduce exposure while no patch or upgrade is available.
- Assess whether temporary reboot or monitoring interruptions would affect process safety, uptime, or maintenance response.
- Monitor affected assets for unexpected resets or link-state drops and ensure operational procedures account for short availability interruptions.
Evidence notes
All statements are based on the supplied CSAF advisory metadata and listed references. The advisory text explicitly states that ArmorStart LT can result in a denial-of-service condition and that the device reboots unexpectedly during Achilles EtherNet/IP Step Limit Storm tests, causing the Link State Monitor to go down for several seconds. The source remediation notes state that there is no patch or upgrade at the time of publication and recommend applying security best practices. No exploitation-in-the-wild or additional impact claims are included because they are not present in the provided corpus.
Official resources
-
CVE-2025-9279 CVE record
CVE.org
-
CVE-2025-9279 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA republished Rockwell Automation advisory SD1768 as ICSA-26-029-02 on 2026-01-29, the same date recorded for the CVE publication and modification in the supplied timeline.