Executive Summary
CVE-2020-13573 is an out-of-bounds read in Rockwell Automation RSLinx Classic at or below version 4.50.00 that a remote attacker triggers with a crafted packet, forcing the application into an unresponsive state that does not self-recover. Because RSLinx Classic is the communication broker between engineering workstations, HMIs, SCADA front ends and the underlying Allen-Bradley controllers, a successful hit blinds the operator to live process data until someone manually restarts the service or the host.
Technical Exposure Breakdown
The defect is a memory safety failure in how RSLinx Classic parses inbound data. An out-of-bounds read means the driver dereferences memory outside the bounds of an allocated buffer, and in this case the fault is severe enough to wedge the application rather than simply corrupt a single transaction. The CVSS v3 base score is 7.5, reflecting a network attack vector, low attack complexity, no privileges required, and no user interaction. There is no confidentiality or integrity impact in the scored vector. The entire weight of the score is availability.
The practical attack surface is the set of TCP and UDP services RSLinx Classic exposes to drive controller communications. EtherNet/IP traffic on TCP 44818 and UDP 2222, along with the RPC and CIP services RSLinx stands up, are the channels an adversary would reach. Any host that can route packets to the RSLinx machine on those ports is in scope. This is not a vulnerability that requires authentication or a foothold on the engineering workstation. A single crafted frame from a compromised jump host, a misconfigured firewall rule, or a flat plant network is enough.
The condition that makes this dangerous in production is the lack of self-recovery. A transient crash that restarts cleanly is an annoyance. A hung process that stays hung requires human intervention, and during that window the operator is running blind on whatever controllers depend on that RSLinx instance for tag access.
OT Impact and Compliance Risk
RSLinx Classic sits at the boundary between IT-style software and the deterministic OT layer. When it stops answering, the symptom is not a controller fault. The PLC keeps executing logic and the physical process keeps running. What disappears is visibility. HMIs go stale, historians stop logging, and alarms that depend on RSLinx data paths fail to update. In an energy or critical manufacturing setting, an operator who cannot see process state is one upset away from a manual trip or an undetected excursion.
For NERC CIP environments, an unrecoverable loss of a monitoring asset touches CIP-007 system security management and CIP-010 configuration and vulnerability management, since this is a known flaw on a cyber asset inside the electronic security perimeter. For asset owners aligning to IEC 62443, this maps to the zone and conduit model directly. RSLinx Classic should never be reachable from a zone with a lower security level, and this CVE is a clean demonstration of why conduit filtering matters. The vulnerability is not flagged in the known exploited vulnerability catalog, but absence from that list is not a measure of plant risk.
Compensating Controls
Patching to a fixed RSLinx Classic release is the documented path, but in most plants that means a coordinated maintenance window because the host is load bearing for live communications. Until then, treat this as a network exposure problem.
- Conduit filtering. Restrict TCP 44818 and UDP 2222 to the explicit list of HMIs, SCADA nodes and engineering stations that legitimately speak to RSLinx. Deny everything else at the firewall, not at the host.
- Virtual patching. Place an inline IPS in front of the RSLinx host and drop malformed EtherNet/IP and CIP frames before they reach the parser. A Suricata rule concept here keys on anomalous CIP packet length and structure fields on the RSLinx listening ports, alerting and dropping on packets that violate the expected encapsulation header. This shields the unpatched application without touching it.
- Avoid active scanning. Do not validate this with an aggressive vulnerability scanner against a production RSLinx instance. The same malformed-input sensitivity that defines this CVE means a scan probe can trigger the exact denial of service you are trying to prevent. Inventory passively or test in a lab replica.
- Recovery runbook. Document the manual restart procedure and assign it, since this fault does not clear on its own.
BreachSpider tracks CVE-2020-13573 and the broader RSLinx Classic exposure across 25,000+ ICS CVEs, giving asset owners continuous monitoring of which controllers and conduits in their environment remain reachable from untrusted zones.