Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix and GuardLogix
Rockwell Automation controllers vulnerable to DoS via buffer overflow in multiple product lines.
Summary
CISA disclosed three critical denial-of-service vulnerabilities (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) affecting Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix controllers. These buffer overflow flaws allow remote attackers to load invalid projects or write malicious file data, causing devices to enter a major non-recoverable fault (MNRF). Patches are available for all affected versions.
Full text
ICS Advisory Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix and GuardLogix Release DateJuly 16, 2026 Alert CodeICSA-26-197-06 Related topics: Industrial Control Systems , Industrial Control System Vulnerabilities View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition. The following versions of Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix and GuardLogix are affected: CompactLogix 5370 <=V35.015 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) Compact GuardLogix 5370 <=V35.015 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) ControlLogix 5570 <=V35.015 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) GuardLogix 5570 <=V35.015 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) CompactLogix 5380 <=V34.012 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) CompactLogix 5380 <=V35.011 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) Compact GuardLogix 5380 <=V34.012 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) Compact GuardLogix 5380 <=V35.011 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) CompactLogix 5480 <=V34.012 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) CompactLogix 5480 <=V35.011 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) ControlLogix 5580 <=V34.012 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) ControlLogix 5580 <=V35.011 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) GuardLogix 5580 <=V34.012 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) GuardLogix 5580 <=V35.011 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) CompactLogix 5380 Recovery Image <=1.072 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) Compact GuardLogix 5380 Recovery Image <=1.072 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) CompactLogix 5480 Recovery Image <=1.072 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) ControlLogix 5580 Recovery Image <=1.072 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) GuardLogix 5580 Recovery Image <=1.072 (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) CVSS Vendor Equipment Vulnerabilities v3 8.6 Rockwell Automation Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix and GuardLogix Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2025-12011 A denial-of-service issue exists in 5370/5570 controllers. This vulnerability could potentially allow a remote user to load an invalid project, causing the device to enter a major non-recoverable fault (MNRF). View CVE Details Affected Products Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix and GuardLogix Vendor:Rockwell Automation Product Version:Rockwell Automation CompactLogix 5370: <=V35.015, Rockwell Automation Compact GuardLogix 5370: <=V35.015, Rockwell Automation ControlLogix 5570: <=V35.015, Rockwell Automation GuardLogix 5570: <=V35.015, Rockwell Automation CompactLogix 5380: <=V34.012, Rockwell Automation CompactLogix 5380: <=V35.011, Rockwell Automation Compact GuardLogix 5380: <=V34.012, Rockwell Automation Compact GuardLogix 5380: <=V35.011, Rockwell Automation CompactLogix 5480: <=V34.012, Rockwell Automation CompactLogix 5480: <=V35.011, Rockwell Automation ControlLogix 5580: <=V34.012, Rockwell Automation ControlLogix 5580: <=V35.011, Rockwell Automation GuardLogix 5580: <=V34.012, Rockwell Automation GuardLogix 5580: <=V35.011, Rockwell Automation CompactLogix 5380 Recovery Image: <=1.072, Rockwell Automation Compact GuardLogix 5380 Recovery Image: <=1.072, Rockwell Automation CompactLogix 5480 Recovery Image: <=1.072, Rockwell Automation ControlLogix 5580 Recovery Image: <=1.072, Rockwell Automation GuardLogix 5580 Recovery Image: <=1.072 Product Status:known_affected Remediations Vendor fixRockwell Automation recommend updating to the following: CompactLogix 5370: Update to V35.016, V36.011 and later Vendor fixCompact GuardLogix 5370: Update to V35.016, V36.011 and later Vendor fixControlLogix 5570: Update to V35.016, V36.011 and later Vendor fixGuardLogix 5570: Update to V35.016, V36.011 and later Vendor fixCompactLogix 5380: Update to V34.014, V35.013, V36.011 and later Vendor fixCompact GuardLogix 5380: Update to V34.014, V35.013, V36.011 and later Vendor fixCompactLogix 5480: Update to V34.014, V35.013, V36.011 and later Vendor fixControlLogix 5580: Update to V34.014, V35.013, V36.011 and later Vendor fixGuardLogix 5580: Update to V34.014, V35.013, V36.011 and later Vendor fixCompactLogix 5380 Recovery Image: Update to boot firmware 1.072 or greater. If using V36.013, V37.011 or later, already has corrected boot firmware is installed Vendor fixCompact GuardLogix 5380 Recovery Image: Update to boot firmware 1.072 or greater. If using V36.013, V37.011 or later, already has corrected boot firmware is installed Vendor fixCompactLogix 5480 Recovery Image: Update to boot firmware 1.072 or greater. If using V36.013, V37.011 or later, already has corrected boot firmware is installed Vendor fixControlLogix 5580 Recovery Image: Update to boot firmware 1.072 or greater. If using V36.013, V37.011 or later, already has corrected boot firmware is installed Vendor fixGuardLogix 5580 Recovery Image: Update to boot firmware 1.072 or greater. If using V36.013, V37.011 or later, already has corrected boot firmware is installed Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 4.0 9.2 CRITICAL CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVE-2025-12012 A denial-of-service issue exists in 5380/5480/5580 controllers. This vulnerability could potentially allow a malicious user to write invalid file data to the controller, causing the device to enter a major nonrecoverable fault (MNRF). View CVE Details Affected Products Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix and GuardLogix Vendor:Rockwell Automation Product Version:Rockwell Automation CompactLogix 5370: <=V35.015, Rockwell Automation Compact GuardLogix 5370: <=V35.015, Rockwell Automation ControlLogix 5570: <=V35.015, Rockwell Automation GuardLogix 5570: <=V35.015, Rockwell Automation CompactLogix 5380: <=V34.012, Rockwell Automation CompactLogix 5380: <=V35.011, Rockwell Automation Compact GuardLogix 5380: <=V34.012, Rockwell Automation Compact GuardLogix 5380: <=V35.011, Rockwell Automation CompactLogix 5480: <=V34.012, Rockwell Automation CompactLogix 5480: <=V35.011, Rockwell Automation ControlLogix 5580: <=V34.012, Rockwell Automation ControlLogix 5580: <=V35.011, Rockwell Automation GuardLogix 5580: <=V34.012, Rockwell Automation GuardLogix 5580: <=V35.011, Rockwell Automation CompactLogix 5380 Recovery Image: <=1.072, Rockwell Automation Compact GuardLogix 5380 Recovery Image: <=1.072, Rockwell Automation CompactLogix 5480 Recovery Image: <=1.072, Rockwell Automation ControlLogix 5580 Recovery Image: <=1.072, Rockwell Automation GuardLogix 5580 Recovery Image: <=1.072 Product Status:known_affected Remediations Vendor fixRockwell Automation recommend updating to the following: CompactLogix 5370: Update to V35.016, V36.011 and later Vendor fixCompact GuardLogix 5370: Update to V35.016, V36.011 and later Vendor fixControlLogix 5570: Update to V35.016, V36.011 and later Vendor fixGuardLogix 5570: Update to V35.016, V36.011 and later Vendor fixCompactLogix 5380: Update to V34.014, V35.013, V36.011 and later Vendor fixCompact GuardLogix 5380: Update to V34.014, V35.013, V36.011 and later Vendor fixCompactLogix 5480: Update to V34.014, V35.013, V36.011 and later Vendor fixControlLogix 5580: Update to V34.014, V35.013, V36.011 and later Vendor fixGuardLogix 5580: Update to V34.014, V35.013, V36.011 and later Vendor fixCompactLogix 5380 Recovery Image: Update to boot firmware 1.072 o
Indicators of Compromise
- cve — CVE-2025-12011
- cve — CVE-2025-12012
- cve — CVE-2025-11698