PatchSiren cyber security CVE debrief
CVE-2025-9281 Rockwell Automation CVE debrief
CVE-2025-9281 is a denial-of-service issue in Rockwell Automation ArmorStart LT. CISA’s 2026-01-29 advisory says the device can reboot unexpectedly during Achilles Comprehensive step limit storm tests, which causes the Link State Monitor to go down for several seconds. The advisory lists ArmorStart LT 290D, 291D, and 294D as affected and states that no patch or upgrade was available at publication, so operators should rely on Rockwell and CISA defensive guidance.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
Industrial control system owners, plant operators, maintenance teams, and security staff using ArmorStart LT 290D, 291D, or 294D should care most. Because the issue affects availability and can cause unexpected reboots, it is especially relevant in environments where short service interruptions can affect production or process continuity.
Technical summary
The source advisory describes an availability flaw in ArmorStart LT that can lead to a denial-of-service condition. The observed failure mode is an unexpected reboot during Achilles Comprehensive step limit storm testing, followed by the Link State Monitor being unavailable for several seconds. The advisory’s CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and the affected products are ArmorStart LT 290D, 291D, and 294D. CISA’s publication also notes there is no patch or upgrade available at that time.
Defensive priority
High for OT availability and reliability. The issue is publicly documented, rated CVSS 7.5 High, and affects core uptime behavior in an industrial device. Prioritize if these models are deployed in production or where brief outages could disrupt operations.
Recommended defensive actions
- Confirm whether ArmorStart LT 290D, 291D, or 294D is deployed anywhere in your environment.
- Review Rockwell Automation advisory SD1768 and follow the vendor’s mitigation guidance.
- Apply CISA and Rockwell ICS security best practices, including segmentation and minimizing unnecessary exposure.
- Monitor affected assets for unexpected reboots and Link State Monitor drops.
- Plan operational contingencies for brief availability interruptions, such as redundancy or maintenance procedures where appropriate.
- Track vendor advisories for any future patch or update availability.
Evidence notes
Based on CISA CSAF advisory ICSA-26-029-02 republishing Rockwell Automation advisory SD1768 on 2026-01-29. The source text states: “A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.” The advisory lists affected products ArmorStart LT 290D, 291D, and 294D, and remediation text says there is no patch or upgrade at this time. The CVSS vector provided is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Official resources
-
CVE-2025-9281 CVE record
CVE.org
-
CVE-2025-9281 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-01-29 in ICS Advisory ICSA-26-029-02, which republishes Rockwell Automation advisory SD1768. The advisory was current as of its publication date and states no patch or upgrade was available at that time.