Executive Summary
CVE-2025-11694 covers two defects in Rockwell Automation CompactLogix 5370 controllers, an improper validation of integrity check value and an exposure of sensitive system information to an unauthorized control sphere, that together allow a remote unauthenticated attacker to force a denial-of-service condition. On a CompactLogix 5370, a denial-of-service is not a degraded dashboard, it is a controller that stops scanning logic and drops outputs across whatever process it sequences.
Technical Exposure Breakdown
The CompactLogix 5370 L1, L2, and L3 families sit at the controller layer in discrete and hybrid automation, running ladder, function block, and structured text under the Studio 5000 environment and communicating over EtherNet/IP and CIP. The CVSS v3 base score from the vendor is 7.5, which maps to network attack vector, low complexity, no privileges required, no user interaction, and an availability impact. There is no confidentiality or integrity impact rated at the high level, which tells you this is a crash and reset class of flaw rather than a code execution or logic manipulation path.
The first weakness, improper validation of an integrity check value, means the controller accepts or processes a crafted message without correctly verifying the integrity field. A malformed CIP or EtherNet/IP packet that fails to round-trip through the validation routine can put the firmware into a fault state. The second weakness, exposure of sensitive system information to an unauthorized control sphere, gives an attacker reconnaissance value that lowers the cost of targeting the first defect reliably. Combined, an actor with routed access to the controller on TCP and UDP 44818 and TCP 2222 can send the trigger and take the controller to a major nonrecoverable fault.
The condition that matters here is reachability. These controllers were never designed to face an exposed network boundary. The flaw requires no credentials, so any host that can establish a CIP session can attempt the trigger. That includes a compromised engineering workstation, a misconfigured cell or area zone, or a flat network where Purdue Level 1 and Level 2 traffic shares broadcast domains with corporate IT.
OT Impact and Compliance Risk
A faulted CompactLogix stops executing its program. Depending on the configured fault response and the safety design of the surrounding equipment, that means outputs deenergize, motion stops, and the process either fails to a defined safe state or stalls in an undefined one. Recovery typically requires a controller reset and a verified download, which is manual time on the floor and unplanned downtime on the schedule. For a process that depends on continuous sequencing, a forced fault is a production loss event with potential safety implications.
For asset owners under IEC 62443, this maps directly to zone and conduit segmentation requirements and to the system availability foundational requirement. NERC CIP registered entities should treat any 5370 inside an Electronic Security Perimeter as in scope for CIP-007 patch evaluation and CIP-005 boundary review. Water and wastewater operators under AWIA 2018 and pipeline operators under TSA SD-02C should record this against their network segmentation and access control measures, since the attack depends entirely on an attacker reaching the controller.
Compensating Controls
Do not point an active vulnerability scanner at these controllers to confirm exposure. Active scanning of CompactLogix hardware can itself trigger faults and brick the very component you are trying to protect. Use passive traffic monitoring and asset inventory data instead.
- Verify that 5370 controllers are inside a dedicated cell or area zone with no routable path to IT or to internet-facing infrastructure. Restrict TCP and UDP 44818 and TCP 2222 to known engineering hosts at the firewall or managed switch ACL.
- Deploy a virtual patch at the zone conduit. Inspect CIP and EtherNet/IP sessions and drop traffic from unauthorized source addresses before it reaches the controller.
- A Suricata rule concept: alert on CIP service requests over EtherNet/IP from any source outside the defined engineering management subnet to the controller IP range, then escalate to drop in inline mode once baseline traffic is confirmed clean. Flag malformed length fields and CIP messages that fail integrity expectations.
- Apply the Rockwell firmware update during a planned maintenance window with a verified rollback program archived first. Validate fault response configuration so a forced fault drives equipment to a defined safe state.
BreachSpider tracks CVE-2025-11694 and the broader CompactLogix exposure surface for continuous monitoring against your asset inventory.