Rockwell Automation today announced the availability of firmware updates and published a security advisory addressing critical vulnerabilities (CVE-2023-3595 and CVE-2023-3596) in Select Communication Modules used in its ControlLogix controllers. Updates for all affected versions—including those no longer supported by Rockwell Automation—are available as well as detection rules. Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity.
Rockwell Automation Select Communication Modules provide communication links between devices, IT systems, and remote communication. ControlLogix controllers are heavily used across critical infrastructure industries.
The vulnerabilities surfaced after an internal analysis of an exploit capability linked to an unnamed advanced persistent threat actor (APT), Rockwell Automation said. Critical infrastructure operators targeted by APT actors should note that this is an unusual opportunity to understand such a capability belonging to this type of advanced attacker before it’s used in the wild.
“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” Rockwell said in its advisory. “Previous threat actors cyber activity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”
The two vulnerabilities affect 1756-EN2*, 1756-EN3*, and 1756-EN4* communication modules.
CVE-2023-3595, an out-of-bounds write vulnerability (CWE-787), was assessed a CVSS v3 score of 9.8 by CISA (advisory). They affect EN2* and EN3* modules, and could allow an attacker to gain persistence on a vulnerable system and remotely execute code using maliciously crafted CIP messages. An attacker would be able to modify, deny, and exfiltrate data moving through the controller.
CVE-2023-3596, an out-of-bounds write vulnerability (CWE-787), (CVSS v3: 7.5) affects EN4* products only, and allows an attacker to carry out denial-of-service attacks through crafted CIP messages.
Depending on the user’s configuration of ControlLogix, additional impacts may be possible, Rockwell and CISA said.
“Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process,” Rockwell said in its advisory. “This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.”
The full list of affected modules is below:
1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2T Series D: Versions 11.003 and prior
1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TK Series D: Versions 11.003 and prior
1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TXT Series D: Versions 11.003 and prior
1756-EN2TP Series A: Versions 11.003 and prior
1756-EN2TPK Series A: Versions 11.003 and prior
1756-EN2TPXT Series A: Versions 11.003 and prior
1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TR Series C: Versions 11.003 and prior
1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRK Series C: Versions 11.003 and prior
1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRXT Series C: Versions 11.003 and prior
1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2F Series C: Versions 11.003 and prior
1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2FK Series C: Versions 11.003 and prior
1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
1756-EN3TR Series B: Versions 11.003 and prior
1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
1756-EN3TRK Series B: Versions 11.003 and prior
1756-EN4TR Series A: Versions 5.001 and prior
1756-EN4TRK Series A: Versions 5.001 and prior
1756-EN4TRXT Series A: Versions 5.001 and prior
Rockwell urges organizations running affected communications modules to take the following steps as mitigations against these critical flaws:
Firmware Update: EN2* ControlLogix communications modules should be updated to firmware revision 11.0004; EN4* ControlLogix communications modules should be updated to firmware revision 5.002.
Segment: Since network connectivity to a vulnerable module is required for a successful exploit, users should ensure industrial networks are segmented from the internet and enterprise networks.
Signatures: Rockwell has provided a number of Snort signatures users can deploy to monitor for anomalous CIP packets sent to ControlLogix controllers. The Snort rules provided to Claroty by Rockwell follow:
PROTOCOL-SCADA ENIP CIP Socket Object unconnected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object unconnected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 2 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object attribute with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 contains unusual length
CWE-284 IMPROPER ACCESS CONTROL
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of PHP modules.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 7.5
CWE-35 PATH TRAVERSAL:
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in PHP resulting in a remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-434 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-98 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM ('PHP REMOTE FILE INCLUSION')
An unauthenticated remote attacker can execute arbitrary PHP files and gain full access of the affected devices.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
CWE-305 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
