CVE-2026-9636 in ControlLogixinfo

Summary

by MITRE • 07/14/2026

A security issue exists within CompactLogix® 5380, ControlLogix® 5580, and EN4 communication modules related to CIP Security certificate revocation handling. The security issue stems from the controller failing to properly reject certificates signed by an intermediate certificate that has been revoked via a Certificate Revocation List (CRL). This could allow a network-based attacker to establish a connection using a certificate that should be untrusted, potentially bypassing CIP Security protections.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability affects industrial control systems manufactured by rockwell automation including compactlogix 5380 and controllogix 5580 controllers along with en4 communication modules that implement common industrial protocol cip security mechanisms. The flaw exists in the certificate validation logic where the system fails to properly check certificate revocation status when processing intermediate certificates within a certificate chain. when a certificate authority issues a certificate revocation list containing revoked intermediate certificates the controller should reject any connections attempting to use those certificates but instead continues to accept them as valid. this represents a critical security weakness in the authentication and authorization framework of these industrial controllers.

the technical implementation flaw stems from inadequate certificate validation procedures within the cip security subsystem where the system only validates the end-entity certificate without properly traversing and validating the entire certificate chain against current revocation information. according to cwe 310 this vulnerability maps to weakness in cryptographic key handling and certificate management processes that fail to properly validate certificate status information. the issue specifically affects the certificate revocation list processing functionality where the controller should check all certificates in the chain against the latest crl but instead accepts certificates from revoked intermediate authorities. this behavior creates a trust boundary violation where compromised or unauthorized certificates can be used to establish connections that should be blocked by security policies.

operationally this vulnerability allows network-based attackers to perform man-in-the-middle attacks against industrial control systems by presenting revoked intermediate certificates during authentication negotiations. an attacker who has access to the network can potentially intercept communications and present forged certificates that bypass cip security protections, leading to unauthorized access to critical industrial processes. the impact extends beyond simple authentication bypass as it could enable attackers to modify control parameters, disrupt operations, or gain elevated privileges within the industrial control environment. this vulnerability particularly affects environments where cip security is enabled for protecting industrial communications and where certificate-based authentication is used to establish trust relationships between controllers and communication modules.

organizations should implement immediate mitigations including disabling unused network services, restricting network access to controllers through firewalls, and updating firmware to versions that properly validate certificate chains against current revocation lists. regular monitoring of certificate status information and implementation of automated certificate lifecycle management processes can help reduce exposure windows. according to attack tactics and techniques framework this vulnerability aligns with initial access and credential access phases where attackers seek to establish trusted connections within industrial networks. system administrators should also implement network segmentation strategies to limit the blast radius of potential compromise and deploy intrusion detection systems specifically configured to monitor for unusual certificate validation behaviors. the remediation process requires careful coordination between security teams, industrial operations personnel, and vendor support to ensure that controller firmware updates maintain operational continuity while addressing the certificate validation gap.

Responsible

Rockwell

Reservation

05/26/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!