PatchSiren cyber security CVE debrief
CVE-2025-9465 Rockwell Automation CVE debrief
CVE-2025-9465 is a high-severity availability issue affecting Rockwell Automation ArmorStart LT products. CISA’s republication of Rockwell Automation advisory SD1768 states that, during execution of Achilles Comprehensive grammar tests, the device can reboot unexpectedly and cause the Link State Monitor to go down for several seconds. Rockwell’s guidance at the time was mitigation-focused: there was no patch or upgrade available, and users were advised to apply security best practices.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
Operators and engineers responsible for Rockwell Automation ArmorStart LT 290D, 291D, and 294D deployments should treat this as an operational-availability concern. OT security teams, plant reliability staff, and incident responders should also review the advisory because the impact is a device reboot and temporary loss of Link State Monitor visibility.
Technical summary
The advisory describes a denial-of-service condition in ArmorStart LT that can be triggered in the context of Achilles Comprehensive grammar testing. The observed effect is an unexpected device reboot, with the Link State Monitor down for several seconds. The published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network-reachable impact with high availability loss and no confidentiality or integrity impact stated in the source corpus.
Defensive priority
High for industrial environments where even brief device reboots or monitoring interruption can affect process visibility or availability. Priority is driven by the operational impact and the absence of a patch or upgrade in the advisory, not by any confirmed exploitation campaign in the supplied sources.
Recommended defensive actions
- Inventory affected ArmorStart LT models: 290D, 291D, and 294D.
- Review Rockwell Automation advisory SD1768 for the vendor’s current mitigation guidance.
- Apply the vendor-recommended security best practices because no patch or upgrade was available at advisory time.
- Reduce unnecessary exposure and follow ICS defense-in-depth guidance for network segmentation and access control.
- Monitor for unexpected reboots and for Link State Monitor outages in affected environments.
- Use the CISA ICS recommended practices and Rockwell support guidance to validate compensating controls.
Evidence notes
All material claims are taken from the supplied CISA CSAF source item and the referenced Rockwell/CISA advisory metadata. The source explicitly states that the issue can cause a denial-of-service condition, that the device may reboot unexpectedly during Achilles Comprehensive grammar tests, and that the Link State Monitor can go down for several seconds. The advisory metadata also states there was no patch or upgrade available at the time and recommends applying security best practices.
Official resources
-
CVE-2025-9465 CVE record
CVE.org
-
CVE-2025-9465 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA republished Rockwell Automation advisory SD1768 as ICSA-26-029-02 on 2026-01-29, assigning CVE-2025-9465. The supplied source corpus does not indicate confirmed exploitation, exploit code, or ransomware use.