CVE-2025-11698 in CompactLogix 5380 Recovery Image Compact GuardLogix 5380 Recovery Image CompactLogix 5480 Recovery Image ControlLogix 5580 Recovery Image GuardLogix 5580 Recovery Imageinfo

Summary

by MITRE • 07/14/2026

A denial-of-service issue exists in 5380/5480/5580 controllers boot firmware lower than version 1.072. This vulnerability could potentially allow a malicious user to write invalid file data to the controller, causing the device to enter a major non-recoverable fault (MNRF).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability represents a critical denial-of-service condition affecting boot firmware versions prior to 1.072 in 5380/5480/5580 controllers. The flaw stems from insufficient input validation mechanisms during the firmware boot process, where malicious actors can inject malformed file data that triggers system instability. The vulnerability manifests when invalid data structures are written to controller memory regions, leading to a cascade of failures that culminate in a major non-recoverable fault condition. This type of vulnerability falls under CWE-129 Input Validation and is particularly concerning because it occurs at the boot level where system integrity is paramount for operational continuity.

The technical implementation of this flaw allows attackers to manipulate the controller's initial boot sequence through crafted file data injection techniques. When the firmware processes these invalid inputs, it fails to properly validate the data integrity before committing it to memory, resulting in corrupted system states that cannot be recovered through standard restart procedures. The major non-recoverable fault condition represents a state where the controller enters an unrecoverable error loop, requiring physical intervention or complete power cycling to restore functionality. This vulnerability aligns with ATT&CK technique T1499.001 which covers network disruption and system resource exhaustion attacks.

The operational impact of this vulnerability extends beyond simple service interruption to encompass potential safety risks in industrial control environments where these controllers may be deployed. The inability to recover from the MNRF state without manual intervention creates extended downtime windows that can disrupt critical processes. Organizations relying on these specific controller models for automation, monitoring, or control systems face significant risk exposure when operating firmware versions below 1.072. The vulnerability's severity is compounded by the fact that such boot-level flaws are particularly difficult to detect and remediate without complete system restarts.

Mitigation strategies should prioritize immediate firmware updates to version 1.072 or later, which contain proper input validation mechanisms and error handling procedures. Network segmentation and access controls should be implemented to limit exposure of these controllers to untrusted networks and users. Additionally, implementing robust monitoring systems that can detect unusual boot patterns or memory corruption events will aid in early detection of potential exploitation attempts. Regular vulnerability assessments and security audits should be conducted to ensure all controller firmware versions remain current with the latest security patches. Organizations should also develop contingency procedures for handling the MNRF state, including documented steps for manual recovery processes and backup operational protocols.

Responsible

Rockwell

Reservation

10/13/2025

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!