PatchSiren cyber security CVE debrief
CVE-2025-9282 Rockwell Automation CVE debrief
CVE-2025-9282 affects Rockwell Automation ArmorStart LT devices and is described as a denial-of-service issue. In the CISA republished advisory, the device can reboot unexpectedly during Achilles Comprehensive limited storm tests, causing the Link State Monitor to go down for several seconds. Rockwell Automation reported no patch or upgrade at the time of the advisory and recommended applying ICS security best practices as mitigation.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
Industrial control system operators, plant engineers, and asset owners using Rockwell Automation ArmorStart LT 290D, 291D, or 294D should care most, especially where brief device reboots or link-state interruptions could affect availability or process continuity.
Technical summary
The advisory describes an availability impact in ArmorStart LT: under the stated test condition, the device may reboot unexpectedly and the Link State Monitor may be unavailable for several seconds. The published CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting network-accessible, low-complexity, no-privileges, availability-only impact.
Defensive priority
High for OT environments that rely on continuous availability. Even a short reboot or link-state interruption can disrupt control visibility, monitoring, or dependent automation workflows. Because the source says no patch or upgrade was available, compensating controls and operational monitoring are the immediate priority.
Recommended defensive actions
- Review Rockwell Automation advisory SD1768 and the CISA CSAF advisory for affected model coverage and mitigation notes.
- Apply Rockwell Automation's recommended security best practices and ICS defensive measures where feasible.
- Monitor affected ArmorStart LT devices for unexpected reboots, link-state drops, or repeated availability anomalies.
- Validate operational impact and recovery procedures for short-lived device outages in connected control environments.
- Track vendor and CISA updates for a future patch or additional mitigation guidance.
Evidence notes
This debrief is based on the CISA CSAF advisory republishing Rockwell Automation advisory SD1768, the supplied CVE record metadata, and the cited official references. The source text explicitly states the denial-of-service condition, the unexpected reboot behavior during Achilles Comprehensive limited storm tests, the temporary Link State Monitor outage, and the lack of a patch or upgrade at publication time. No exploit method or attacker workflow is described in the supplied corpus, so none is inferred here.
Official resources
-
CVE-2025-9282 CVE record
CVE.org
-
CVE-2025-9282 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2025-9282 was published by CISA on 2026-01-29 and republished from Rockwell Automation advisory SD1768. The supplied advisory states that no patch or upgrade was available at publication time.