A critical flaw in Rockwell Automation’s ControlLogix 5580 programmable logic controllers can be exploited over the network to trigger a ‘major nonrecoverable fault,’ effectively bricking the device until an operator physically restores it, the U.S. Cybersecurity and Infrastructure Security Agency warned in a newly republished advisory on September 9, 2025.
The vulnerability, tracked as CVE-2025-9166 and rated 8.2 on the CVSS v4 scale, stems from a NULL pointer dereference (CWE-476) in firmware version 35.013. An unauthenticated attacker on the network can send crafted packets that force the controller into a persistent fault state, demanding a manual restart and user program reload — a scenario that could halt production lines or critical processes in seconds.
Rockwell Automation reported the bug to CISA and has issued a corrective firmware update, version 35.014 or later, which fully resolves the issue. The advisory’s republished format underscores the urgency: with low attack complexity and remote exploitability, any ControlLogix 5580 installation on 35.013 exposed even to internal corporate networks should be considered at immediate risk.
A Basic Coding Error with Catastrophic Consequences
A NULL pointer dereference occurs when software attempts to use a memory pointer that has not been initialized, assuming it references a valid object. In the tightly constrained real-time operating systems of industrial controllers, such a mishap inside a network protocol handler can be fatal. CISA’s advisory explains that the controller repeatedly tries to forward messages, encounters the null reference, and spirals into an unrecoverable fault.
The result is a major nonrecoverable fault (MNRF), which is distinct from a minor fault that the controller can often clear itself. An MNRF requires a power cycle and typically a full download of the user program from the engineering workstation — a process that demands an engineer’s presence, physical or remote access to the controller, and a maintenance window. In continuous-process industries, such downtime can cost tens of thousands of dollars per minute and, in some cases, introduce safety risks if fail-safes are not properly sequenced.
“Successful exploitation of this vulnerability could result in a major nonrecoverable fault on the controller,” the CISA advisory states bluntly. While the flaw does not permit code execution or data exfiltration, its pure availability impact is often the most feared outcome in operational technology (OT) environments.
Affected Products and the Fix
Only one specific product and firmware combination is confirmed vulnerable:
- Product: ControlLogix 5580
- Affected firmware: Version 35.013
- Mitigation: Update to version 35.014 or later
Rockwell Automation’s own security advisory (referenced by CISA but not publicly numbered in the alert) mirrors this guidance. Users must download the correct firmware from Rockwell’s Product Compatibility and Download Center, selecting the build that matches their controller’s catalog number and chassis configuration. Installing the wrong firmware can brick the device or create unforeseen regressions, so cautious operators test updates on non-production hardware first.
Attack Surface and Exploitability
CISA classifies the vulnerability as exploitable remotely with low attack complexity. The CVSS v3 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and the v4 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) both highlight that no privileges, user interaction, or special conditions are needed — just network access to the controller’s EtherNet/IP port.
In practice, the risk is modulated by network architecture. ControlLogix 5580s sitting behind correctly configured industrial firewalls, with no direct internet exposure and with CIP Security enabled, are significantly harder to attack. However, misconfigurations remain common: one 2023 survey by a leading OT security vendor found that one in four industrial controllers were accidentally reachable from corporate IT networks. If an attacker can reach TCP/UDP port 44818 (EtherNet/IP), they can likely trigger the fault.
As of the advisory’s publication, no known public exploitation or weaponized exploit code has been reported to CISA. But history cautions against complacency. Null pointer dereference bugs in network stacks have been easily triggered by fuzzing tools, and converting a crash into a denial-of-service exploit is trivial once the vulnerability is understood. The gap between advisory and active exploitation can be weeks — or hours.
Mitigations: Patching, Hardening, and Detecting
Rockwell’s primary recommendation is to upgrade firmware to 35.014 or later. For sites that cannot patch immediately, CISA outlines a layered defense strategy that should be in place regardless:
- Network Isolation: Remove all control system devices from direct internet access. Place controllers behind industrial firewalls that deny by default and allow only necessary industrial protocols from trusted management stations. Restrict CIP traffic to known IP addresses.
- Secure Remote Access: If remote access is unavoidable, terminate VPN connections on a hardened jump host and enforce multi-factor authentication. Never expose the controller directly.
- Enable CIP Security: ControlLogix 5580 supports CIP Security, which provides device authentication and message integrity. Enabling it prevents unauthorized devices from injecting malformed messages — a direct countermeasure to the NULL pointer dereference.
- Detection and Monitoring: OT security teams should create alerts for repeated controller fault conditions, unexpected program reloads, or spikes in malformed CIP packets. Network monitoring tools that understand EtherNet/IP can spot exploitation attempts even without vendor-specific signatures.
Beyond technical controls, operators must update incident response runbooks. The recovery procedure for an MNRF should be documented, tested, and understood by both OT engineers and safety personnel. A rushed recovery could inadvertently restart a process without proper permissives, causing physical damage or injury.
Rockwell’s Recent Security Journey
This is not the first high-severity availability bug in the Logix family. Over the past two years, Rockwell has issued multiple advisories addressing denial-of-service conditions triggered by malformed CIP, PTP, or other protocol packets. The pattern points to a legacy codebase that predates modern secure-coding practices, though Rockwell has been praised for its transparent disclosure and timely patches.
CISA’s republished advisory also reflects a growing government focus on securing critical infrastructure. The advisory explicitly lists Critical Manufacturing as an affected sector and notes that ControlLogix is deployed worldwide. For U.S. operators, the Department of Homeland Security recommends reporting incidents to CISA to aid correlation and community defense.
What Should System Owners Do Now?
Given the ease of exploitation and the severe impact on availability, system owners should treat this advisory as an emergency:
- Within 24 hours: Inventory all ControlLogix 5580 controllers, note their firmware versions, and audit network exposure. Apply emergency firewall rules if any are reachable from unauthorized subnets.
- Within one week: Plan a maintenance window to test and deploy firmware 35.014 on a non-critical system. Validate that the controller returns to operation without regression.
- Ongoing: Deploy CIP Security, segment OT networks thoroughly, and integrate controller health metrics into your SIEM.
CISA’s mantra for ICS vulnerabilities is clear: “Assume the device will be exploited if it can be reached.” The NULL pointer dereference in ControlLogix 35.013 is a glaring example of why that assumption holds. Patching is the only permanent fix, but defense-in-depth will keep the lights on until the next maintenance window.
This article is based on the CISA advisory ICSA-25-252-07 and Rockwell Automation’s security guidance.