High

Denial of Service via Crafted CIP Message in Rockwell Automation Logix 5370 and 5570 Controllers

IdentifiersCVE-2026-11317CWE-404· Improper Resource Shutdown or…

CVE-2026-11317 is a denial-of-service vulnerability affecting Rockwell Automation Logix 5370 and 5570 controllers, including CompactLogix 5370 versions up to and including 34.016, Compact GuardLogix 5370 versions up to and including 35.015, ControlLogix 5570 versions up to and including 35.015, and GuardLogix 5570 version 36.012. The issue is triggered when an attacker sends a crafted CIP message to an affected device, causing a fault condition. Devices with less memory are more likely to be affected. Successful exploitation can drive the controller into a major nonrecoverable fault (MNRF), requiring a program download to restore operation. The vulnerability is mapped to CWE-404.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a denial-of-service condition on the affected controller. In the observed failure mode, the device can enter a major nonrecoverable fault (MNRF), interrupting controller availability and potentially halting or degrading industrial process control functions. Recovery is not automatic and requires a program download, increasing operational disruption and recovery effort.

Mitigation

If you can’t patch tonight, do this now.

If immediate remediation is not possible, minimize exposure of affected controllers to untrusted networks. Ensure control system devices are not directly accessible from the internet, place ICS networks and remote devices behind firewalls, and isolate them from business networks. Restrict CIP reachability to trusted hosts and engineering workstations only. Use secure remote access methods such as updated VPN solutions, and follow standard CISA ICS hardening guidance for segmentation, access control, and monitored remote connectivity.

Remediation

Patch, then assume compromise.

Apply Rockwell Automation's fix or updated firmware/software guidance from Security Advisory SD1772 for affected Logix 5370 and 5570 controller families. Specifically review and update affected versions: CompactLogix 5370 <=34.016, Compact GuardLogix 5370 <=35.015, ControlLogix 5570 <=35.015, and GuardLogix 5570 36.012, in accordance with vendor instructions. Validate recovery and deployment procedures in a maintenance window appropriate for ICS environments.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Rockwell AutomationCompact Guardlogix 5370hardware

Rockwell AutomationCompactlogix 5370hardware

Rockwell AutomationControllogix 5570hardware

Rockwell AutomationGuardlogix 5570hardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cvefeed high severityNews

Jun 16, 2026

CVE-2026-11317 - Rockwell Automation Logix 5370 and 5570 Controllers Vulnerable To Denial of Service Via CIP

A denial-of-service vulnerability in a Rockwell Automation affected product triggered by a crafted CIP message, potentially causing a major nonrecoverable fault that requires a program download to recover.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-11317

NVD

nvd.nist.gov/vuln/detail/CVE-2026-11317

MITRE CWE · CWE-404

Improper Resource Shutdown or Release

rockwellautomation.com

rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1772.html