PatchSiren cyber security CVE debrief
CVE-2025-9466 Rockwell Automation CVE debrief
CVE-2025-9466 affects Rockwell Automation ArmorStart LT and can cause a denial-of-service condition. According to the CISA CSAF advisory published on 2026-01-29, execution of Achilles EtherNet/IP and CIP grammar tests may trigger an unexpected device reboot, taking the Link State Monitor down for several seconds. Rockwell Automation reported no patch or upgrade available at publication and recommended applying security best practices as a mitigation.
- Vendor
- Rockwell Automation
- Product
- ArmorStart LT 290D
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-29
- Original CVE updated
- 2026-01-29
- Advisory published
- 2026-01-29
- Advisory updated
- 2026-01-29
Who should care
OT/ICS operators, plant engineers, and security teams responsible for Rockwell Automation ArmorStart LT 290D, 291D, or 294D deployments should care most. Availability-focused defenders and anyone validating industrial Ethernet equipment with protocol test tools should treat this as a high-priority operational stability issue.
Technical summary
The advisory describes an availability-impacting fault in ArmorStart LT devices: during Achilles EtherNet/IP and CIP grammar testing, the device can reboot unexpectedly, which briefly drops the Link State Monitor. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting network-reachable, low-complexity conditions with high availability impact and no confidentiality or integrity impact stated in the source.
Defensive priority
High for environments that use the affected ArmorStart LT models, especially where uninterrupted industrial network connectivity is important. The issue is limited to denial of service, but the lack of a patch at publication and the potential for operational disruption justify prompt mitigation planning.
Recommended defensive actions
- Confirm whether any ArmorStart LT 290D, 291D, or 294D devices are in use in your environment.
- Review Rockwell Automation advisory SD1768 and the associated CISA advisory for mitigation guidance.
- Apply Rockwell Automation's recommended security best practices to reduce exposure while no patch or upgrade is available.
- Limit unnecessary network access to affected devices and reduce opportunities for unauthenticated testing or scanning.
- Validate operational monitoring so brief link-state interruptions are detected and handled safely.
- Track vendor updates for a future corrective release or additional mitigation guidance.
Evidence notes
The source corpus states that a security issue exists within ArmorStart LT that can result in a denial-of-service condition and that the device reboots unexpectedly during Achilles EtherNet/IP and CIP grammar tests. The CSAF advisory lists affected products as ArmorStart LT 290D, 291D, and 294D, and the remediation section states there is no patch or upgrade at the time of publication. The advisory was republished by CISA from Rockwell Automation advisory SD1768 on 2026-01-29.
Official resources
-
CVE-2025-9466 CVE record
CVE.org
-
CVE-2025-9466 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory on 2026-01-29, republishing Rockwell Automation advisory SD1768. No patch or upgrade was listed at publication; mitigation guidance was limited to security best practices.