PatchSiren cyber security CVE debrief
CVE-2025-9283 Rockwell Automation CVE debrief
CVE-2025-9283 describes an availability issue in Rockwell Automation ArmorStart LT. Per the CISA-republished advisory, the device can reboot unexpectedly during Achilles EtherNet/IP Step Limits Storms tests, which causes the Link State Monitor to go down for several seconds. The advisory states that no patch or upgrade is available at the time of publication, and recommends applying security best practices to reduce risk.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
OT and ICS teams operating Rockwell Automation ArmorStart LT 290D, 291D, or 294D devices should care most, especially engineers responsible for uptime, network resilience, and incident response in industrial environments.
Technical summary
The published advisory ties CVE-2025-9283 to a denial-of-service condition affecting ArmorStart LT. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-reachable issue with no privileges or user interaction required and high availability impact. The advisory text specifically notes unexpected reboot behavior during Achilles EtherNet/IP Step Limits Storms tests, with the Link State Monitor going down for several seconds. The source corpus does not describe a code execution or data corruption impact, only service disruption.
Defensive priority
High for affected OT environments. Even though the issue is limited to availability, the combination of network exposure, no required privileges, and a documented reboot condition makes it worth prioritizing where ArmorStart LT devices are operationally critical.
Recommended defensive actions
- Confirm whether any ArmorStart LT 290D, 291D, or 294D devices are deployed in your environment.
- Review Rockwell Automation advisory SD1768 and the CISA-republished advisory ICSA-26-029-02 for current guidance.
- Apply the vendor-recommended security best practices noted in the advisory while no patch or upgrade is available.
- Treat the affected devices as availability-sensitive assets and plan for monitoring, failover, or operational workaround measures consistent with your site procedures.
- Use the CISA industrial control systems recommended practices and defense-in-depth guidance referenced in the advisory to reduce exposure.
- Monitor the Link State Monitor and related network health indicators for unexpected outages or reboot events in affected deployments.
Evidence notes
All substantive claims are drawn from the supplied CISA CSAF advisory record for ICSA-26-029-02 / CVE-2025-9283 and its referenced Rockwell Automation advisory SD1768. The source corpus states that ArmorStart LT can reboot unexpectedly during Achilles EtherNet/IP Step Limits Storms tests, causing the Link State Monitor to go down for several seconds, and that no patch or upgrade is available at the time of publication. The CVSS vector provided in the source corpus supports a high-availability, network-reachable denial-of-service classification.
Official resources
-
CVE-2025-9283 CVE record
CVE.org
-
CVE-2025-9283 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA republished Rockwell Automation advisory SD1768 as ICSA-26-029-02 on 2026-01-29, and the source corpus indicates no patch or upgrade was available at that time.