PatchSiren cyber security CVE debrief

CVE-2016-9343 Rockwellautomation CVE debrief

A malformed Common Industrial Protocol (CIP) packet can trigger a stack-based buffer overflow in affected Rockwell Automation Logix5000 controller firmware families. The impact is severe: the issue may allow code execution on the controller or a nonrecoverable fault that results in denial of service. Because the vulnerability is network-reachable and requires no authentication, it warrants urgent attention in industrial environments.

Vendor: Rockwellautomation
Product: CVE-2016-9343
CVSS: CRITICAL 10
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

OT and ICS operators using affected Rockwell Automation controller firmware, especially teams responsible for Logix5000-based control systems, safety-related automation, and plants where controller downtime or unauthorized code execution could disrupt operations.

Technical summary

NVD describes CVE-2016-9343 as a stack-based buffer overflow caused by sending a malformed CIP packet to affected Rockwell Automation Logix5000 Programmable Automation Controller firmware. The vulnerability is rated CVSS 3.1 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and mapped to CWE-787. The supplied CPE coverage shows multiple affected firmware lines across SoftLogix 5800, RSLogix Emulate 5000, GuardLogix 5570, FlexLogix L34, ControlLogix 55xx/5560/5570 and redundant variants, and CompactLogix 5370/1768/1769 families, with affected versions spanning FRN 16.00 through 21.00 depending on the product. The description explicitly notes that firmware versions prior to FRN 16.00 are not affected.

Defensive priority

Immediate

Recommended defensive actions

Inventory Rockwell Automation Logix5000-related controllers and emulator systems to identify exact firmware versions and CPE matches.
Treat exposed CIP services on affected devices as high risk and restrict network access to trusted engineering and control segments only.
Prioritize validation of vendor guidance and ICS-CERT advisory ICSA-16-343-05 for mitigations or updates relevant to each product line.
Where operationally feasible, reduce direct reachability to controllers by using segmentation, allowlists, and jump-host-based administration.
Test and apply vendor-approved firmware updates or compensating controls in a maintenance window appropriate for critical ICS assets.
Monitor for unexpected controller faults, resets, or configuration/code changes after any CIP traffic anomalies.

Evidence notes

The vulnerability description states that malformed CIP packets can overflow a stack-based buffer and lead to code execution or a nonrecoverable fault/denial of service. NVD classifies the issue as CVSS 3.1 10.0 with network attack vector, no privileges, and no user interaction, and identifies CWE-787. The supplied reference set includes the official NVD detail page, the CVE record, and ICS-CERT advisory ICSA-16-343-05 plus a SecurityFocus BID reference. The affected scope in the supplied corpus is derived from NVD CPE entries and the description, which together indicate multiple Rockwell controller firmware families and versions FRN 16.00 through 21.00, while firmware prior to FRN 16.00 is explicitly not affected.

Official resources

CVE-2016-9343 CVE record
CVE.org
CVE-2016-9343 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource

CVE-2016-9343 was published on 2017-02-13. The supplied corpus does not provide a separate discovery date; timing context should be tied to that CVE publication date and the referenced ICS-CERT advisory, not to any later record modification