Executive Summary

CVE-2026-9307 chains an improper validation of integrity check value with exposure of sensitive system information to let a remote attacker drive Rockwell Automation CompactLogix 5370 controllers into a denial-of-service condition through crafted network input. The physical criticality is direct: a CompactLogix 5370 is a primary process controller, and a controller fault stops the logic scan that drives discrete and analog outputs across packaging, water dosing, and small-to-mid line automation.

Technical Exposure Breakdown

The vulnerable component is the CompactLogix 5370 controller family, specifically the L1, L2, and L3 models. The CVSS v3 base score reported by the vendor is 7.5, consistent with a network-reachable flaw that affects availability without requiring authentication or user interaction. The root cause described is two-part. First, improper validation of an integrity check value means the controller accepts and acts on data that should have been rejected as malformed or tampered. Second, exposure of sensitive system information to an unauthorized control sphere indicates the controller leaks internal state or configuration detail that an attacker can leverage to shape the malformed input.

The attack vector is the controller network interface. CompactLogix 5370 controllers speak EtherNet/IP and CIP over the embedded Ethernet ports. Any host with a route to the controller management or process VLAN can deliver the crafted traffic. The precondition is reachability, not credentials. There is no authentication barrier described in the advisory, which means an attacker who has already pivoted into a cell or area zone has a direct path to fault the controller. The integrity check failure suggests the controller does not safely discard input that fails verification, and instead enters a fault state that halts the program scan.

OT Impact and Compliance Risk

When a CompactLogix 5370 faults, outputs go to their configured fault state. Depending on the program, that is either a controlled stop or an uncontrolled drop of all outputs. In a water treatment context that can mean chemical dosing pumps stop or run unchecked. In packaging or material handling it means a line stop and physical jams. Recovery requires a fault reset and in many configurations a manual restart, which extends downtime well beyond the moment of attack.

For NERC CIP environments, a controller that can be faulted by unauthenticated network traffic is a CIP-007 system security management concern and a CIP-005 electronic security perimeter concern, since the exposure assumes an attacker already inside the trusted zone. For asset owners aligned to IEC 62443, this is a failure of zone and conduit segmentation if the controller is reachable from a lower-trust network, and it stresses the SR 3.1 communication integrity requirement at the device level. Water and wastewater operators under AWIA 2018 should treat this as a risk and resilience assessment input, since loss of a dosing or distribution controller is a direct treatment continuity issue. Pipeline operators under TSA SD-02C should account for this in their network segmentation and access control measures, as the flaw rewards any lateral movement with a reliable controller outage.

Compensating Controls

Do not rely on a scheduled patch window as your only response. Active scanning of CompactLogix controllers to confirm exposure can itself induce the fault condition, so do not run aggressive discovery against these devices. Enumerate affected assets from passive traffic capture and engineering records instead.

BreachSpider Intel

BreachSpider tracks CVE-2026-9307 and related CompactLogix exposure across the Sovereign AI Governance Engine (SAGE) so OT teams can monitor affected asset reachability and exploitation signals without active scanning.