CVE-2025-13824
Unknown Unknown - Not Provided
Improper CIP Packet Handling Causes Controller Hard Fault

Publication date: 2025-12-15

Last updated on: 2025-12-15

Assigner: Rockwell Automation

Description
A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault codeβ€―0xF019. To recover,β€―clear the fault.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-15
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13824
EUVD
EUVD-2025-203385
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rockwellautomation micro850 23.012
rockwellautomation micro870 23.012
rockwellautomation micro820 23.011
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-763 The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13824 is a security vulnerability in Rockwell Automation's Micro800 series programmable logic controllers caused by improper handling of malformed Common Industrial Protocol (CIP) packets during fuzzing. When exploited, the controller enters a hard fault state indicated by a solid red Fault LED and becomes unresponsive. After power cycling, the controller enters a recoverable fault state with flashing red MS and Fault LEDs and reports fault code 0xF019. Recovery requires clearing the fault. This vulnerability is due to a release of invalid pointer or reference (CWE-763). [1]

Impact Analysis

This vulnerability can cause the affected controllers (Micro820, Micro850, Micro870) to become unresponsive due to a hard fault triggered by malformed CIP packets. This results in downtime and potential disruption of industrial control processes. Recovery requires manual intervention to clear the fault after power cycling. There are no workarounds other than upgrading firmware or migrating to newer controllers, so failure to address this vulnerability could impact operational availability and reliability. [1]

Detection Guidance

This vulnerability can be detected by observing the controller's behavior: it enters a hard fault state indicated by a solid red Fault LED and becomes unresponsive. After power cycling, the controller shows a recoverable fault with flashing red MS and Fault LEDs and reports fault code 0xF019. Detection involves monitoring these LED fault indicators and fault codes on affected Micro800 series controllers. Specific network commands to detect malformed CIP packets are not provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the firmware of affected controllers to the fixed versions: for Micro850/870 (L50E/L70E) upgrade to firmware V23.012, and for Micro820 (LC20) upgrade to firmware V23.011 or migrate to newer controllers. If upgrading is not possible, follow Rockwell Automation's security best practices. There are no workarounds available for CVE-2025-13824 other than firmware upgrade or migration. Additionally, to recover from the fault state, clear the fault condition after power cycling the controller. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart