These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-13036 is a critical authentication bypass vulnerability in FactoryTalk Historian Site Edition. An attacker can exploit this vulnerability by continually sending requests to the login endpoint, potentially obtaining a valid authentication token. The vulnerability has a CVSS score of 9.2 and is considered critical.
A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller's web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on the network. This information can be leveraged by an attacker to construct malicious packets, leading to Denial-of-Service.
A denial of service security issue exists in the affected product. The security issue stems from a fault occurring when a crafted CIP message is sent. Devices with less memory are more likely to be affected. This can result in a major nonrecoverable fault (MNRF). A program download is required to recover.
CVE-2026-0647 is an improper authentication security issue within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication being required. If exploited, this could lead to unauthorized access, account takeover, and loss of th [truncated]
CVE-2026-0646 is a HIGH-severity denial-of-service vulnerability in the 1794-AENTR adapter. The issue arises from improper memory handling of CIP protocol requests, which can cause the adapter to fault and lose connection to its associated I/O modules. A manual reset is required to recover from this vulnerability. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.7.
CVE-2025-14272 is a HIGH-severity vulnerability (CVSS Score: 8.3) affecting an unknown vendor's product, potentially allowing unauthorized actors to execute privileged operations. The issue was published on 2026-06-16T15:16:33.000Z and last modified on 2026-06-16T15:26:04.250Z.
CVE-2025-11694 is a HIGH severity vulnerability with a CVSS score of 8.7. The vulnerability exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses in the CIP protocol. This allows an attacker to abuse the exposed Connection ID's visible on the web interface to perform denial-of-service attacks, resulting in a minor fault.
CVE-2025-9466 affects Rockwell Automation ArmorStart LT and can cause a denial-of-service condition. According to the CISA CSAF advisory published on 2026-01-29, execution of Achilles EtherNet/IP and CIP grammar tests may trigger an unexpected device reboot, taking the Link State Monitor down for several seconds. Rockwell Automation reported no patch or upgrade available at publication and recommended app [truncated]
CVE-2025-9465 is a high-severity availability issue affecting Rockwell Automation ArmorStart LT products. CISA’s republication of Rockwell Automation advisory SD1768 states that, during execution of Achilles Comprehensive grammar tests, the device can reboot unexpectedly and cause the Link State Monitor to go down for several seconds. Rockwell’s guidance at the time was mitigation-focused: there was no pa [truncated]
CVE-2025-9464 is a denial-of-service issue affecting Rockwell Automation ArmorStart LT. According to the CISA advisory, fuzzing multiple CIP classes can make the CIP port unresponsive. The advisory was published on 2026-01-29 and states that no patch or upgrade was available at that time; Rockwell advised applying security best practices to reduce risk.
CVE-2025-9283 describes an availability issue in Rockwell Automation ArmorStart LT. Per the CISA-republished advisory, the device can reboot unexpectedly during Achilles EtherNet/IP Step Limits Storms tests, which causes the Link State Monitor to go down for several seconds. The advisory states that no patch or upgrade is available at the time of publication, and recommends applying security best practice [truncated]
CVE-2025-9282 affects Rockwell Automation ArmorStart LT devices and is described as a denial-of-service issue. In the CISA republished advisory, the device can reboot unexpectedly during Achilles Comprehensive limited storm tests, causing the Link State Monitor to go down for several seconds. Rockwell Automation reported no patch or upgrade at the time of the advisory and recommended applying ICS security [truncated]
CVE-2025-9281 is a denial-of-service issue in Rockwell Automation ArmorStart LT. CISA’s 2026-01-29 advisory says the device can reboot unexpectedly during Achilles Comprehensive step limit storm tests, which causes the Link State Monitor to go down for several seconds. The advisory lists ArmorStart LT 290D, 291D, and 294D as affected and states that no patch or upgrade was available at publication, so ope [truncated]
CVE-2025-9280 describes a denial-of-service condition in Rockwell Automation ArmorStart LT. According to the advisory summary, fuzzing with Defensics can make the device unresponsive and require a reboot. Rockwell states that no patch or upgrade is available at this time and recommends compensating security best practices.
CVE-2025-9279 is a denial-of-service issue affecting Rockwell Automation ArmorStart LT products. In the CISA-republished advisory, the device can reboot unexpectedly during Achilles EtherNet/IP Step Limit Storm testing, which drops the Link State Monitor for several seconds. CISA’s source material lists no patch or upgrade at the time of publication and recommends applying security best practices as a mitigation.
CVE-2025-9278 is a denial-of-service issue in Rockwell Automation ArmorStart LT. According to the advisory text, running a Burp Suite active scan can cause the device to lose ICMP connectivity, which then makes the web application inaccessible. CISA republished the vendor advisory on 2026-01-29 as ICSA-26-029-02.
CVE-2025-14027 covers multiple denial-of-service weaknesses in Rockwell Automation ControlLogix Redundancy Enhanced Modules 1756-RM2 and 1756-RM2XT firmware. According to the CISA CSAF advisory, crafted inputs such as malformed Class 3 messages, memory leak conditions, and other resource-exhaustion scenarios can cause the device to become unresponsive and, in some cases, trigger a major nonrecoverable fau [truncated]
Rockwell Automation CompactLogix 5370 has a denial-of-service vulnerability that can be triggered by a malformed CIP forward open message. According to the CISA advisory, the condition can cause a major nonrecoverable fault and require a restart to recover. Rockwell provides fixed versions for affected branches, and CISA also points readers to Rockwell security guidance for systems that cannot be upgraded [truncated]
CVE-2025-14377 is a high-severity information exposure issue in Rockwell Automation Verve Asset Manager’s legacy Ansible playbook component. According to the CISA republication of the vendor advisory, sensitive information could be incorrectly stored in unencrypted form during playbook execution. Rockwell Automation states the issue was resolved in version 1.42, and that the legacy component became option [truncated]
CVE-2025-14376 was publicly disclosed on 2026-01-20 in CISA's republished advisory for Rockwell Automation Verve Asset Manager. The issue affects the legacy ADI server component, where unencrypted sensitive data was stored in environment variables. Rockwell Automation states the issue was resolved in version 1.42, and that the component became optional beginning with version 1.36 in 2024, which means expo [truncated]
Rockwell Automation’s 432ES-IG3 Series A is affected by a denial-of-service vulnerability in the GuardLink EtherNet/IP Interface. According to the CISA-republished advisory, the condition can disrupt availability and requires a manual power cycle to restore the device. Rockwell’s documented fix is to update to V2.001.9 or later.
CVE-2025-12807 is a high-severity issue in Rockwell Automation FactoryTalk DataMosaix Private Cloud. CISA’s advisory says low-privilege users can perform sensitive database operations through exposed API endpoints. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) scores 8.8, so this should be treated as a serious exposure in environments running the affected product. The advisory’s revis [truncated]
A vulnerability in Rockwell Automation Micro800 series programmable logic controllers (PLCs) allows remote attackers to cause a denial-of-service condition by sending malformed Common Industrial Protocol (CIP) packets to affected devices. The vulnerability was identified during fuzzing activities and results in the controller entering a hard fault state with a solid red Fault LED, rendering the device unr [truncated]
A recoverable fault condition exists in the IPv6 stack of Rockwell Automation Micro850 and Micro870 programmable logic controllers. The vulnerability triggers when affected controllers receive multiple malformed IPv6 packets, as discovered during fuzzing activities. The fault is recoverable, indicating the controller can resume normal operation without permanent damage, but successful exploitation results [truncated]
CVE-2025-9177 is a denial-of-service issue in Rockwell Automation’s 1715 EtherNet/IP Comms Module. According to the CISA CSAF advisory, a high volume of requests can crash the module’s web server. The advisory states that I/O control and communication are not impacted, but the webpage is unavailable until the device is power-cycled.
CVE-2025-41236 is a critical integer-overflow vulnerability in VMware’s VMXNET3 virtual network adapter. CISA’s Rockwell Automation advisory maps the issue to multiple Rockwell Automation VMware-based product families and directs customers to Broadcom’s remediation guidance. The stated impact is code execution on the host.
CVE-2018-1285 is a critical XXE issue mapped by CISA to Rockwell Automation FactoryTalk Historian ThingWorx product 95057C-FTHTWXCT11. The advisory states that Apache log4net versions before 2.0.10 do not disable XML external entities when parsing configuration files, which can expose applications that accept attacker-controlled log4net configuration files to high-impact data exposure and manipulation risks.
CVE-2025-3618 is a high-severity denial-of-service vulnerability in Rockwell Automation ThinManager. According to CISA’s advisory, the software does not adequately verify the outcome of memory allocation while processing Type 18 messages, which can let an attacker cause a denial of service on the target software. Rockwell Automation states the issue is fixed in multiple ThinManager releases, including 11. [truncated]
CVE-2025-3289 is a high-severity local code execution vulnerability in Rockwell Automation Arena. According to CISA’s advisory, improper validation of user-supplied data can trigger a stack-based memory buffer overflow. If a legitimate user opens a malicious DOE file, an attacker could disclose information and execute arbitrary code on the system. CISA published the advisory on 2025-04-10 and later revise [truncated]
CVE-2025-3288 is a high-severity local code execution vulnerability in Rockwell Automation Arena. CISA’s advisory says the flaw stems from improper validation of user-supplied data, which can lead to reading outside the allocated memory buffer. If a legitimate user opens a malicious DOE file on an affected system, an attacker may be able to disclose information and execute arbitrary code.
CVE-2025-3287 is a high-severity local code execution vulnerability in Rockwell Automation Arena. According to the CISA advisory, a legitimate user must open a malicious DOE file, and improper validation of user-supplied data can lead to reading outside the allocated memory buffer. The reported impact includes information disclosure and arbitrary code execution on the system. Rockwell Automation advises u [truncated]
CVE-2025-3286 is a high-severity local code execution issue in Rockwell Automation Arena. CISA’s advisory says the flaw stems from improper validation of user-supplied data and an out-of-bounds memory read, and that exploitation can disclose information and execute arbitrary code if a legitimate user opens a malicious DOE file. Rockwell Automation’s mitigation is to upgrade to V16.20.09 or later.
CVE-2025-3285 affects Rockwell Automation Arena and is rated CVSS 7.8 (High). CISA’s advisory describes a local code execution flaw caused by improper validation of user-supplied data, allowing a read outside the allocated memory buffer. In practical terms, a legitimate user must open a malicious DOE file for the issue to be triggered, and successful exploitation could disclose information and execute arb [truncated]
CVE-2025-2829 is a high-severity flaw in Rockwell Automation Arena that can let an attacker disclose information and execute arbitrary code on a system. According to CISA’s advisory, the issue affects Arena version 16.20.08 and earlier, and exploitation requires a legitimate user to open a malicious DOE file. Rockwell Automation recommends upgrading to V16.20.09 or later.
CVE-2025-2293 is a high-severity local code execution vulnerability in Rockwell Automation Arena. According to the CISA CSAF advisory, a legitimate user opening a malicious DOE file can trigger a write outside the allocated memory buffer, which may allow information disclosure and arbitrary code execution. Rockwell Automation states that Arena versions up to 16.20.08 are affected and recommends upgrading [truncated]
CVE-2025-2288 is a high-severity local code execution issue in Rockwell Automation Arena. According to the CISA CSAF advisory, the flaw is caused by improper validation of user-supplied data that allows a write outside the allocated memory buffer. If exploited, it can disclose information and execute arbitrary code on the affected system. The advisory was initially published on 2025-04-10 and later revise [truncated]
CVE-2025-2287 is a high-severity local code execution vulnerability in Rockwell Automation Arena affecting version 16.20.08 and earlier. CISA’s advisory says the flaw stems from an uninitialized pointer and improper validation of user-supplied data. If a legitimate user opens a malicious DOE file, an attacker may be able to disclose information and execute arbitrary code on the system. The safest response [truncated]
CVE-2025-2286 is a high-severity local code execution vulnerability in Rockwell Automation Arena. CISA’s advisory says the issue stems from an uninitialized pointer and improper validation of user-supplied data; exploitation requires a legitimate user to open a malicious DOE file. Rockwell Automation recommends upgrading to V16.20.09 or later.
CVE-2025-2285 is a high-severity local code execution issue in Rockwell Automation Arena. According to CISA’s advisory, the flaw stems from improper validation of user-supplied data and an uninitialized pointer. If a legitimate user opens a malicious DOE file, an attacker may be able to disclose information and execute arbitrary code on the system. Rockwell Automation recommends upgrading to Arena V16.20.09 or later.
CVE-2025-23120 is a critical remote code execution vulnerability in Veeam Backup and Replication that affects Rockwell Automation Industrial Data Center (IDC) with Veeam and VersaVirtual Appliance (VVA) with Veeam. CISA’s CSAF advisory says exploitation can allow a threat actor to execute code on the target system. Rockwell lists affected IDC generations 1 through 5 and VVA series A through C, and directs [truncated]
CVE-2025-1449 is a critical vulnerability in Rockwell Automation Verve Asset Manager affecting versions up to 1.39. In the Legacy Active Directory Interface (ADI) administrative web interface, an inadequately sanitized variable can be modified by an authenticated administrative user, creating a path to arbitrary command execution in the container running the service. Rockwell Automation reports the issue [truncated]
Rockwell Automation PowerFlex 755 is affected by a credential-exposure issue in which HTTP is used and credentials can be sent in clear text. In an OT environment, that creates a straightforward confidentiality risk for anyone able to observe traffic on the network path.
CVE-2025-24478 is a denial-of-service vulnerability in Rockwell Automation GuardLogix 5380 and 5580 controllers. According to CISA’s advisory, a remote, non-privileged user can send malicious requests that trigger a major nonrecoverable fault, taking the affected controller out of service. Rockwell and CISA recommend updating to the fixed versions and applying OT access controls where possible.
CVE-2025-0498 is a high-severity data exposure issue in Rockwell Automation FactoryTalk AssetCentre. In versions prior to V15.00.001, FactoryTalk Security user tokens were stored insecurely, which could allow a threat actor to steal a token and impersonate another user. CISA published the advisory on 2025-01-30 under ICSA-25-030-05.
CVE-2025-0497 is a high-severity data exposure issue in Rockwell Automation FactoryTalk AssetCentre. According to CISA’s advisory, versions prior to V15.00.001 can store credentials in the configuration files used by EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages. The issue was publicly disclosed on 2025-01-30.
CVE-2025-0477 affects Rockwell Automation FactoryTalk AssetCentre versions prior to V15.00.001. CISA’s advisory says the issue is a weak encryption methodology that could allow a threat actor to extract passwords belonging to other users of the application. The published CVSS 3.1 score is 9.8 (Critical), so this should be treated as a high-priority remediation item for any environment running affected releases.
Rockwell Automation KEPServerEX versions 6.0 through 6.14.263 are affected by a denial-of-service weakness in OPC UA message decoding. According to the CISA advisory, the software does not check whether an object is recursively defined, so a specially crafted message can drive the decoder into repeated processing until the stack overflows and the device crashes. The issue is rated HIGH and is addressed by [truncated]
CVE-2025-24482 is a high-severity local code injection issue in Rockwell Automation FactoryTalk View Site Edition affecting all versions prior to 15.0. CISA says incorrect default permissions can allow DLLs to be executed with higher-level permissions. Rockwell’s guidance is to upgrade to V15.0 or apply the patch and use compensating controls such as restricting physical access and limiting access to Port 8091.
CVE-2025-24481 affects Rockwell Automation FactoryTalk View Site Edition versions prior to 15.0. According to the CISA CSAF advisory, the issue stems from incorrect permissions assigned to the remote debugger port, which can allow unauthenticated access to system configuration. Rockwell’s published mitigations center on upgrading to V15.0 or applying the vendor patch, and restricting access to Port 8091.
CVE-2025-24480 is a critical remote code execution vulnerability affecting Rockwell Automation FactoryTalk View ME versions prior to 15.0. According to the CISA CSAF advisory, the issue stems from insufficient input sanitation and could allow a remote attacker to run commands or code as a highly privileged user. Rockwell Automation and CISA list version 15.0 or vendor-provided patches as the primary remed [truncated]