October 2, 2023

Infrastructure operators have been warned of a critical remote code execution flaw discovered in a type of communications equipment commonly used across multiple industries.

The US CISA issued an alert about two vulnerabilities, one of them critical affecting a range of Rockwell Automation Allen-Bradley ControlLogix communication modules.

The communications modules are used widely in operational technology settings, including by critical infrastructure operators such as water and energy providers. Organizations using the modules have been urged to address the vulnerabilities by updating to the latest versions of the devices’ firmware “as soon as possible”.


Rockwell Automation said it had worked with the government to analyze a “novel exploit capability” affecting the modules. The exploit was attributed to unnamed APT actors.

Rockwell Automation said malicious actors could exploit the vulnerabilities to alter the modules’ firmware, wipe their memory, falsify traffic to and from the devices, and establish persistence.

The first vulnerability, tracked as CVE-2023-3595, with a CVSS rating of 9.8 and could allow hackers to gain RCE with persistence by sending malicious Common Industrial Protocol (CIP) messages. The compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction.

The second vulnerability tracked as CVE-2023-3596, with a CVSS rating of 7.5, and could enable threat actors to instigate a denial of service via CIP messages.

Researchers said the Rockwell Automation communication module RCE vulnerability was similar to a zero-day vulnerability exploited by the Xenotime threat group using Trisis malware.


Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same.

There exists the potential to corrupt the information used for incident response and recovery. The attacker could potentially overwrite any part of the system to hide themselves and stay persistent, or the interfaces used to collect incident response or forensics information could be intercepted by malware to avoid detection.

It is advised that all ICS/OT asset owners identify assets with impacted communications modules and update their Rockwell Automation ControlLogix firmware to the latest version as soon as possible.

Leave a Reply

%d bloggers like this: