CVE-2026-11317

N/A

View CSAF Summary Successful exploitation of this vulnerability could cause a denial-of-service condition that may result in a major nonrecoverable fault (MNRF). The following versions of Rockwell ...

Affects 0 products across 1 vendor.

CVSS v48.7
EPSS0.3%
Percentile22th
PatchUnknown
CWE Weakness Definitions
CWE-404: CWE-404
◆ SAGE Intelligence — CITED Relevance Research Team

Multiple Rockwell Automation Logix controllers (CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570) are vulnerable to a denial-of-service attack via malformed or crafted CIP (Common Industrial Protocol) messages. A remote attacker with network access to the controller can trigger a Major Non-Recoverable Fault (MNRF), forcing the controller into a faulted state and halting industrial process execution. In OT environments, this represents a critical safety and availability risk as MNRF conditions typically require physical intervention to recover and can cause uncontrolled process shutdowns.

Is this CVE in your environment?

BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.

Check My Environment →
Frequently Asked Questions
What is CVE-2026-11317?
Multiple Rockwell Automation Logix controllers (CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570) are vulnerable to a denial-of-service attack via malformed or crafted CIP (Common Industrial Protocol) messages. A remote attacker with network access to the controller can trigger a Major Non-Recoverable Fault (MNRF), forcing the controller into a faulted state and halting industrial process execution. In OT environments, this represents a critical safety and avail
Is CVE-2026-11317 actively exploited?
No confirmed active exploitation of CVE-2026-11317 as of 2026-06-24.
How do I remediate CVE-2026-11317?
Update to CompactLogix 5370: >34.016; Compact GuardLogix 5370: >35.015; ControlLogix 5570: >35.015; GuardLogix 5570: >36.012 or later. Firmware updates for the affected Logix controller families address the CIP message handling flaw that allowed crafted packets to trigger a Major Non-Recoverable Fault; customers should apply the latest available firmware revision via Rockwell's FactoryTalk Update Manager or manual firmware download through the Product Compatibility and Download Center (PCDC). Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories.html
What systems are affected by CVE-2026-11317?
CVE-2026-11317 affects: Rockwell Automation.
Vulnerability Details
CVE IDCVE-2026-11317
Published2026-06-16
Last Modified2026-06-16
ICS Relevance65%
Weakness (CWE)
SourceNVD
Official Description

View CSAF Summary Successful exploitation of this vulnerability could cause a denial-of-service condition that may result in a major nonrecoverable fault (MNRF). The following versions of Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP are affected: CompactLogix 5370 <=34.016 (CVE-2026-11317) Compact GuardLogix 5370 <=35.015 (CVE-2026-11317) ControlLogix 5570 <=35.015 (CVE-2026-11317) GuardLogix 5570 36.012 (CVE-2026-11317) CVSS Vendor Equipment Vulnerab

Source: NIST NVD / MITRE CVE Database

Affected Products
VendorProductFixed Version
Rockwell Automation &mdash;
Remediation

Fixed Version: CompactLogix 5370: >34.016; Compact GuardLogix 5370: >35.015; ControlLogix 5570: >35.015; GuardLogix 5570: >36.012

Firmware updates for the affected Logix controller families address the CIP message handling flaw that allowed crafted packets to trigger a Major Non-Recoverable Fault; customers should apply the latest available firmware revision via Rockwell's FactoryTalk Update Manager or manual firmware download through the Product Compatibility and Download Center (PCDC).

View Vendor Advisory →
Threat Intelligence
● Threat Intelligence Validated: July 2026 | Threat Age: 26 Days
CISA KEVNot in KEV catalog
Public ExploitNot confirmed
PoC CodeNot confirmed
● Virtual Patch — CITED Relevance SAGE Engine MEDIUM CONFIDENCE

Deploy the Suricata or Snort rule on an industrial IDS/IPS placed inline or on a SPAN port at the network boundary of the OT zone containing the affected Logix controllers. Additionally, configure perimeter firewall ACLs to whitelist only known engineering workstation and HMI IP addresses for TCP/44818 (EtherNet/IP) and UDP/2222 (implicit I/O) to the affected controller IP addresses. Block all inbound CIP traffic from IT networks and the internet unconditionally.

No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.

Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.

Related CVEs affecting Rockwell Automation
CVE-2017-16740 10.0 A Buffer Overflow issue was discovered in Rockwell Automation Allen-Bradley M... CVE-2012-4715 10.0 Buffer overflow in LogReceiver.exe in Rockwell Automation RSLinx Enterprise C... CVE-2009-3739 10.0 Multiple unspecified vulnerabilities on the Rockwell Automation AB Micrologix... CVE-2016-9343 10.0 An issue was discovered in Rockwell Automation Logix5000 Programmable Automat... CVE-2020-14516 10.0 In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.1...
View all Rockwell Automation CVEs →

ICS/OT Vulnerability Intelligence for Your Environment

BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.

Join free →