CVE-2012-6442 in ControlLogix controllersinfo

Summary

by MITRE

When an affected product receives a valid CIP message from an unauthorized or unintended source to Port 2222/TCP, Port 2222/UDP, Port 44818/TCP, or Port 44818/UDP that instructs the product to reset, a DoS can occur. This situation could cause loss of availability and a disruption of communication with other connected devices.



Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/03/2026

The vulnerability identified as CVE-2012-6442 affects Rockwell Automation EtherNet/IP products across multiple controller and communication module series including 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB, CompactLogix L32E and L35E controllers, 1788-ENBT FLEXLogix adapter, 1794-AENTR FLEX I/O EtherNet/IP adapter, and various ControlLogix, CompactLogix, GuardLogix, and SoftLogix controllers from versions 18 through 20. This vulnerability resides in the EtherNet/IP communication protocol implementation within these industrial control systems, specifically in how they handle CIP (Common Industrial Protocol) messages. The flaw manifests when these devices receive a specially crafted CIP message that specifies a reset operation, leading to unauthorized disruption of critical control and communication functions.

The technical implementation of this vulnerability stems from inadequate input validation and message handling within the EtherNet/IP stack of Rockwell Automation devices. When a remote attacker sends a malformed CIP message containing a reset command, the affected devices fail to properly validate the message parameters before executing the reset operation. This lack of proper message sanitization creates a condition where legitimate reset commands can be triggered remotely without proper authentication or authorization. The vulnerability operates at the application layer of the OSI model, specifically within the CIP protocol implementation that governs communication between industrial devices and their control systems. According to CWE classification, this represents a weakness in input validation and improper error handling, specifically CWE-20 for improper input validation and CWE-707 for improper use of an API. The vulnerability aligns with ATT&CK technique T1498.001 for network denial of service attacks, as it enables remote adversaries to cause service disruption in industrial control environments.

The operational impact of this vulnerability is severe and potentially catastrophic for industrial environments that rely on these Rockwell Automation devices for critical control functions. A successful exploitation can result in complete control and communication outages across affected systems, potentially leading to production halts, safety system failures, and significant financial losses. The vulnerability affects multiple generations of industrial controllers and communication modules, amplifying its potential impact across various industrial sectors including manufacturing, process control, and critical infrastructure. When triggered, the denial of service condition can cause controllers to reset their communication interfaces, interrupting data flow between controllers and human machine interfaces, programmable logic controllers, and other connected devices. This disruption can cascade through entire production lines, potentially causing equipment damage, safety system failures, or environmental hazards depending on the industrial application. The remote nature of the attack means that adversaries can exploit this vulnerability from outside the industrial network perimeter, making traditional network segmentation less effective as a protective measure.

Mitigation strategies for CVE-2012-6442 should include immediate deployment of vendor-provided security patches and firmware updates, which typically address the input validation issues in the CIP message handling. Network segmentation and access control measures should be implemented to limit access to these devices, including restricting network access to authorized personnel only and implementing network monitoring to detect anomalous CIP message patterns. The implementation of network intrusion detection systems specifically configured to monitor for suspicious CIP traffic patterns can provide early warning of potential exploitation attempts. Device hardening practices should be enforced, including disabling unnecessary network services, implementing strong authentication mechanisms, and regularly updating device firmware to address known vulnerabilities. Organizations should also consider implementing network access control lists and firewall rules to restrict communication to and from affected devices. According to NIST SP 800-82 guidelines for industrial control systems, these measures align with recommended practices for securing operational technology environments. Additionally, regular security assessments and vulnerability scanning should be conducted to identify and remediate similar vulnerabilities across the industrial control system infrastructure, as this vulnerability demonstrates the need for comprehensive security testing of industrial protocols and devices.

Reservation

12/26/2012

Disclosure

01/24/2013

Moderation

accepted

Entry

VDB-63423

CPE

ready

EPSS

0.32807

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!