How is CVE-2026-11317 exploited?

Network reachability (required): The attacker must reach the controller over the network, as the CIP message is delivered remotely; AV:N confirms over-the-network exposure. Authentication (not-required): No credentials or account of any privilege level are needed to send the malicious CIP message; PR:N confirms authentication is absent as a barrier. Victim interaction (not-required): No user or operator action is needed to trigger the fault; the crafted packet alone is sufficient, as indicated by UI:N. Attack complexity (info): The exploit is reliable and condition-free under normal network access; AC:L indicates no race conditions or special environmental factors are required.

What is the impact of CVE-2026-11317?

The targeted controller enters a major nonrecoverable fault state and stops executing its control program, halting any industrial process it governs. Recovery requires a full program download to the device, meaning downtime is extended beyond a simple reboot and requires operator intervention. Devices with lower available memory are more susceptible, meaning the effective blast radius can vary across a fleet of otherwise identically configured controllers. Physical-process disruption is the primary outcome; there is no attacker read or write access to data, so confidentiality and data integrity are unaffected.

Back to search

HIGHCVE-2026-11317Published 2026-06-16Modified 2026-06-16CNA Rockwell

CVE-2026-11317: Rockwell Automation Logix 5370 and 5570 Controllers Vulnerable To Denial of Service Via CIP

A denial of service security issue exists in the affected product. The security issue stems from a fault occurring when a crafted CIP message is sent. Devices with less memory are more likely to be affected. This can result in a major nonrecoverable fault (MNRF). A program download is required to recover.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in Rockwell Automation CompactLogix and ControlLogix controllers (Logix 5370 and 5570 families). An unauthenticated attacker reachable over the network can send a specially crafted CIP (Common Industrial Protocol) message that triggers a major nonrecoverable fault, taking the controller offline and requiring a full program download to recover. Successful exploitation disrupts the affected industrial control system with no confidentiality or integrity impact, but complete availability loss on the targeted device. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream fix versions are published.

HarborGuard Coverage

Detection

Detection of CVE-2026-11317 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Rockwell Automation controller firmware or related software components.

Available

Triage

HarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and weights it against each customer environment's configured compliance policy, routing actionable findings to the appropriate team inbox within the affected organization.

Available

Patch

Because no fix versions have been published by Rockwell Automation as of the CVE publication date, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the controller over the network, as the CIP message is delivered remotely; AV:N confirms over-the-network exposure.
AuthenticationNot required
No credentials or account of any privilege level are needed to send the malicious CIP message; PR:N confirms authentication is absent as a barrier.
Victim interactionNot required
No user or operator action is needed to trigger the fault; the crafted packet alone is sufficient, as indicated by UI:N.
Attack complexityDetail
The exploit is reliable and condition-free under normal network access; AC:L indicates no race conditions or special environmental factors are required.

Blast Radius

The targeted controller enters a major nonrecoverable fault state and stops executing its control program, halting any industrial process it governs.
Recovery requires a full program download to the device, meaning downtime is extended beyond a simple reboot and requires operator intervention.
Devices with lower available memory are more susceptible, meaning the effective blast radius can vary across a fleet of otherwise identically configured controllers.
Physical-process disruption is the primary outcome; there is no attacker read or write access to data, so confidentiality and data integrity are unaffected.

How HarborGuard Handles This

Available on HarborGuard: because Rockwell Automation has not yet published fix versions for CompactLogix and ControlLogix (versions prior to 34.016, 35.015, and 36.012), HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment upstream ships a fix. In the interim, compensating controls available to HarborGuard customers include network-policy isolation to restrict CIP traffic (TCP/UDP port 44818) to known engineering workstations only, egress filtering to prevent unauthorized hosts from reaching controller IP ranges, and policy-flag alerts that highlight any newly pushed image still bundling an affected firmware or software version. For customers who opt into auto-remediation, the full rebuild-plus-regression-run-plus-PR flow will trigger automatically once a fix version is confirmed in the upstream advisory feed.

See how HarborGuard automates this

Affected packages

Rockwell Automation / CompactLogix, ControlLogix
Versions prior to 34.016 · Versions prior to 35.015 · Versions prior to 36.012

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

rockwellautomation.com

Metrics

Get notified