CISA Warns of Critical Buffer Overflow Flaws in Rockwell Automation Logix PLCs
CISA issued an advisory (ICSA-26-197-06) for three high-severity buffer overflow vulnerabilities in Rockwell Automation CompactLogix, ControlLogix, and GuardLogix controllers, enabling denial-of-service attacks.
Intelligence analysis by Llama
CISA flagged three CVEs (CVSS 8.6) in widely deployed Rockwell Automation PLCs used in critical manufacturing worldwide. A remote attacker could trigger a major non-recoverable fault by loading a malformed project, halting production lines until firmware is updated.
These are like three holes in the walls of robot brains that run factory machines. A bad guy could sneak a too-big message through the hole and make the robot brain crash and need someone to come press a reset button in person. Rockwell has put out new versions of the robot software that plug the holes, so factories need to update.
Analysis
Three CVEs, One Attack Surface
CISA's advisory ICSA-26-197-06 bundles three distinct vulnerabilities — CVE-2025-12011, CVE-2025-12012, and CVE-2025-11698 — into a single coordinated disclosure affecting Rockwell Automation's Logix controller family. The headline bug is a classic buffer overflow, a memory-safety flaw that has plagued C code for decades and remains stubbornly common in embedded industrial firmware. CISA assigns a CVSS v3 score of 8.6, placing the issue in the high-severity band, and notes that exploitation is classed as a denial-of-service rather than remote code execution, which is a small mercy for defenders but still serious when the target is a programmable logic controller that may lack redundant failover.
Why a Buffer Overflow on a PLC Matters
According to the advisory, the most concerning outcome is that a remote user could load an invalid project onto a 5370 or 5570 controller and force the device into a major non-recoverable fault, a state from which the PLC cannot automatically recover and which typically requires a physical reset or firmware re-flash. In a packaging line, a water-treatment skid, or an automotive assembly cell, an unplanned stoppage of even a few hours can cascade into lost throughput, scrapped product, and contractual penalties. CISA also tags the affected equipment as belonging to the Critical Manufacturing critical-infrastructure sector and notes deployment worldwide, putting the issue squarely in scope for industrial plant operators from Ohio to Osaka.
Patch Paths Across the Logix Lineup
Rockwell Automation's remediation guidance is granular, splitting fixes by product line and firmware branch. The 5370 and 5570 families (the older generation) need an update to V35.016 or V36.011 or later, while the 5380, 5480, and 5580 families require V34.014, V35.013, or V36.011 depending on the maintenance branch a plant is running. Recovery-image firmware for the newer controllers should be updated to boot firmware 1.072 or greater; users already on V36.013 or V37.011 inherit the corrected boot firmware automatically. The cleanup is therefore real but bounded, and the practical hurdle for defenders is the operational risk of taking a running controller offline to flash new firmware, not the availability of a fix. CISA's CSAF summary and the underlying CVE records remain the authoritative reference for asset owners mapping these advisories onto their asset inventories.
Key points
- CISA advisory ICSA-26-197-06 covers three CVEs (CVE-2025-12011, CVE-2025-12012, CVE-2025-11698) in Rockwell Automation Logix controllers
- CVSS v3 score of 8.6; root cause is a classic buffer overflow in the device firmware
- Exploitation can cause a major non-recoverable fault, requiring a physical reset to recover
- Affected product lines include CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix across 5370, 5380, 5480, 5570, and 5580 hardware families, deployed worldwide in critical manufacturing
- Vendor fixes exist; operators should update to V35.016/V36.011 (older lines) or V34.014/V35.013/V36.011 (newer lines) and boot firmware 1.072 or greater
Rockwell has shipped patched firmware across every affected branch, and operators already on the latest V36 or V37 trains inherit fixes automatically. Asset owners who follow the remediation table can close the exposure without redesigning their control architecture.
Because exploitation only requires loading a malformed project, any Logix controller exposed to an untrusted network, whether through a misconfigured jump host, a compromised engineering workstation, or a third-party integration, is a remote crash away from a non-recoverable fault. Plants running older V35 or V34 maintenance branches face the operational cost of a planned outage to flash firmware, and many will defer, leaving the window open.


