PatchSiren cyber security CVE debrief
CVE-2025-9464 Rockwell Automation CVE debrief
CVE-2025-9464 is a denial-of-service issue affecting Rockwell Automation ArmorStart LT. According to the CISA advisory, fuzzing multiple CIP classes can make the CIP port unresponsive. The advisory was published on 2026-01-29 and states that no patch or upgrade was available at that time; Rockwell advised applying security best practices to reduce risk.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
Industrial control system owners, plant operators, OT network defenders, and maintenance teams responsible for Rockwell Automation ArmorStart LT 290D, 291D, or 294D devices should prioritize this advisory, especially where CIP traffic is present and availability is critical.
Technical summary
The affected ArmorStart LT devices can be driven into a denial-of-service condition when multiple CIP classes are fuzzed, resulting in an unresponsive CIP port. The published CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a network-exploitable availability impact with no confidentiality or integrity impact reported. CISA’s republication of Rockwell Automation advisory SD1768 notes no patch or upgrade was available at publication time and points users to security best practices for mitigation.
Defensive priority
High for OT environments because the issue can interrupt availability in an industrial control component and no vendor patch was available in the advisory at publication.
Recommended defensive actions
- Review whether ArmorStart LT 290D, 291D, or 294D devices are deployed in your environment.
- Apply Rockwell Automation’s recommended security best practices and mitigation guidance from advisory SD1768.
- Restrict and monitor CIP network traffic, especially where segmentation or access control can reduce exposure.
- Confirm that OT monitoring can detect abnormal CIP behavior or device unresponsiveness.
- Track the vendor advisory for any future patch, firmware, or additional mitigation updates.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-029-02, which republishes Rockwell Automation advisory SD1768. The source lists ArmorStart LT 290D, 291D, and 294D as affected products. The advisory states that fuzzing multiple CIP classes can cause the CIP port to become unresponsive, producing a denial-of-service condition. It also states there was no patch or upgrade available at the time of publication and recommends security best practices as mitigation.
Official resources
-
CVE-2025-9464 CVE record
CVE.org
-
CVE-2025-9464 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on the CVE publication date, 2026-01-29. At publication, the vendor reported no patch or upgrade and recommended security best practices as mitigation.