A severe security flaw has been identified in Rockwell Automation’s ControlLogix Ethernet communication modules. This issue could allow remote attackers to execute arbitrary code on industrial control systems, posing a high risk to manufacturing and automation operations.
The vulnerability, tracked as CVE-2025-7353, has been rated with a CVSS score of 9.8, placing it in the critical category.
Key Points
- The flaw exists due to an enabled web debugger agent on affected modules.
- Attackers can remotely execute code, access memory, and manipulate industrial processes.
- Rockwell advises immediate patching or, if delayed, network segmentation as a temporary defense.
Rockwell Automation disclosed this issue on August 14, 2025, following internal security testing.
Insecure Default Configuration (CVE-2025-7353)
The vulnerability arises from a misconfigured web-based debugger (WDB) agent that remains active in production environments. Originally intended for development purposes, this debugging feature creates a dangerous attack surface when left enabled.
Through this flaw, unauthenticated attackers can connect remotely by targeting specific IP addresses, giving them access to sensitive debugging functionalities.
The issue falls under CWE-1188: Initialization of a Resource with an Insecure Default, highlighting the common security mistake of shipping devices with unsafe debugging options enabled by default.
According to the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), exploitation requires no privileges, no user interaction, and has severe consequences across confidentiality, integrity, and availability.
Affected Products
The vulnerability impacts several Rockwell Automation ControlLogix Ethernet modules running firmware version 11.004 or below.
Impacted Models:
- 1756-EN2T/D
- 1756-EN2F/C
- 1756-EN2TR/C
- 1756-EN3TR/B
- 1756-EN2TP/A
These modules serve as critical communication gateways between ControlLogix programmable automation controllers (PACs) and industrial Ethernet networks.
Potential Impact
Successful exploitation could allow attackers to:
- Dump and manipulate system memory
- Control execution flow on affected devices
- Disrupt manufacturing operations
- Gain unauthorized access to operational data
The web debugger agent essentially grants attackers low-level system control normally reserved for trusted developers and engineers.
Risk Factors
| Category | Details |
|---|---|
| Affected Products | ControlLogix Ethernet modules (models listed above) with firmware ≤11.004 |
| Impact | Remote code execution, memory manipulation, system takeover |
| Exploit Needs | Network access, connection to WDB agent, no authentication required |
| CVSS Score | 9.8 (Critical) |
Mitigation
Rockwell has released firmware version 12.001, which addresses the flaw by disabling the insecure WDB configuration. Organizations are strongly encouraged to update immediately.
If immediate patching is not possible, recommended steps include:
- Implementing network segmentation to isolate critical control systems
- Restricting access to debugging services using firewall rules
- Enabling continuous traffic monitoring for unusual activity
- Conducting security audits to identify similar vulnerabilities in other devices
