CISA Warns of Denial-of-Service Flaw in Rockwell Automation 1756 Communication Modules
CISA issued an advisory for a high-severity vulnerability (CVE-2026-9653) in Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT modules that allows remote denial-of-service via crafted packets.
Intelligence analysis by Llama
CISA advisory ICSA-26-197-02 flags a network-reachable DoS bug across three Rockwell EtherNet/IP communication modules used in critical manufacturing. The 1756-ENBT is discontinued with no patch available, while the EN2 and EN3 have firmware updates.
These are little boxes that help factory machines talk to each other. A bad guy on the same network can send them tricky messages that make the boxes stop talking for a moment. The boxes wake back up on their own, but if it keeps happening, the factory gets glitchy. Two of the boxes can be fixed with an update, but the oldest one is retired and can't be fixed at all.
Analysis
A Network-Reachable Bug on the Plant Floor
The vulnerability tracked as CVE-2026-9653 stems from improper validation of CIP Implicit Connection packets in Rockwell Automation's 1756-EN2, 1756-EN3, and 1756-ENBT communication modules. CISA's advisory, released July 16, 2026, rates the flaw at 7.5 (HIGH) under CVSS v3.1 and 8.7 under CVSS v4.0, reflecting its low attack complexity and the fact that no authentication or user interaction is required. An attacker on the same network can simply send crafted packets to repeatedly tear down device connections, though the advisory notes that those connections will recover immediately after each disruption. The CWE classification — CWE-354, Improper Validation of Integrity Check Value — points to a protocol-handling weakness rather than a memory corruption bug, which explains the clean self-recovery but also the ease of triggering it at will.
Patch or Perish: The ENBT Cliff
Remediation splits the affected product line into two very different stories. For the 1756-EN2 and 1756-EN3 modules running firmware up to and including V12.001, Rockwell has published V12.002, which CISA lists as the vendor fix. The 1756-ENBT, however, is a different beast: the advisory explicitly states the product is discontinued and that a fix is unavailable. Operators still running the ENBT in production environments have no patched path forward and must rely on network-level compensating controls — segmentation, firewalls, and restricted remote access — to reduce exposure. This discontinuation gap is a recurring pattern in industrial control security: legacy gear outlives its support window, leaving defenders to guard unpatchable endpoints indefinitely.
Why a DoS Still Matters in Critical Manufacturing
A purely denial-of-service bug might sound tame next to remote code execution, but the affected modules are classified under CISA's Critical Manufacturing sector and deployed worldwide. Even with self-recovering connections, an attacker who can repeatedly knock CIP Implicit Connections offline can stall ControlLogix I/O traffic, disrupt coordination between controllers and field devices, and force process trips or shutdowns. CISA's recommended practices — keeping control system networks behind firewalls, isolating them from business networks, and using VPNs for any remote access — are the textbook defense-in-depth playbook, and the absence of known public exploitation suggests defenders still have time to apply them. The advisory credits Tyler Lentz of Idaho National Laboratory with the responsible disclosure, underscoring the role of national-lab and vendor coordination in catching protocol-level bugs before adversaries weaponize them.
Key points
- CVE-2026-9653 affects Rockwell 1756-EN2, 1756-EN3, and 1756-ENBT with CVSS 7.5 (v3.1) / 8.7 (v4.0)
- Flaw allows remote denial-of-service via crafted CIP Implicit Connection packets; connections self-recover after each disruption
- 1756-EN2 and 1756-EN3 can be patched to firmware V12.002; the 1756-ENBT is discontinued with no fix available
- Vulnerability reported by Tyler Lentz of Idaho National Laboratory; no known public exploitation reported as of advisory release
- CISA classifies affected deployments under the Critical Manufacturing sector, deployed worldwide
With firmware V12.002 available for the EN2 and EN3 modules and CISA confirming no known public exploitation, defenders have a clear window to patch and segment affected systems before adversaries weaponize the flaw. The responsible disclosure by Idaho National Laboratory suggests coordinated, pre-emptive remediation is the norm here.
Organizations still running the discontinued 1756-ENBT face an unpatchable exposure that depends entirely on network segmentation and monitoring. Even for patchable units, the low complexity and no-authentication requirements mean that any plant floor with insufficient network isolation could see repeated, automated DoS events that degrade process reliability over time.



