An unauthenticated remote attack vulnerability in Rockwell Automation controllers enables attackers to modify network settings, resulting in a denial-of-service condition.

This is a remote, unauthenticated vulnerability where an attacker sends a CIP connection request to modify the device's IP configuration. This action causes a loss of system communication as the device is forced to a new, potentially unreachable IP address, even while in Hard RUN mode.

The CVSS score of 8.6 highlights the critical impact of this vulnerability on operational technology (OT) environments. Successful exploitation results in immediate denial-of-service for the affected controller, potentially halting industrial processes and creating significant safety and operational hazards.

Immediate Action: Review the CISA ICS advisory (ICSA-18-310-02) and apply the recommended vendor updates or configuration changes immediately.

Proactive Monitoring: Monitor network traffic for unauthorized CIP connection requests or unexpected IP configuration changes within the control network.

Compensating Controls: Implement strict network segmentation and firewall rules to restrict access to the controller’s communication ports, ensuring only trusted devices can interact with the CIP protocol.

Public Exploit Available: true

This vulnerability is highly dangerous in industrial settings where availability is critical. Organizations must immediately restrict network access to affected controllers and prioritize applying patches to prevent unauthorized modification of network settings.