CVE-2026-9653
Received Received - Intake

Denial-of-Service in Allen-Bradley Communication Modules

Vulnerability report for CVE-2026-9653, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Rockwell Automation

Description

A denial-of-service security issue exists across all the 1756-EN2, EN3, and ENBT communication module due to improper validation of CIP Implicit Connection packets. An attacker on the network can exploit this by sending crafted packets to continuously disrupt device connections, though device connections will recover immediately after.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
rockwell_automation 1756-en2 to 12.001 (inc)
rockwell_automation 1756-en3 to 12.001 (inc)
rockwell_automation 1756-enbt to 6.006 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-354 The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9653 is a denial-of-service (DoS) vulnerability affecting Rockwell Automation's 1756-EN2, 1756-EN3, and 1756-ENBT communication modules. The issue occurs due to improper validation of CIP Implicit Connection packets.

An attacker on the same network can exploit this vulnerability by sending specially crafted packets to the affected devices. This causes disruptions in device connections, leading to temporary service interruptions. However, the connections recover immediately after the attack stops.

  • Affected firmware versions: V12.001 and earlier for 1756-EN2 and 1756-EN3, and V6.006 and earlier for 1756-ENBT.
  • The vulnerability is classified under CWE-354 (Improper Validation of Integrity Check Value).
Impact Analysis

This vulnerability can impact you in the following ways:

  • Temporary disruption of device connections: An attacker can cause repeated interruptions in communication between devices, leading to operational downtime.
  • Service interruptions: If the affected modules are part of critical industrial control systems, the DoS attack could disrupt processes that rely on continuous communication.
  • Potential for cascading effects: Depending on the system's configuration, disruptions in one part of the network could affect other connected systems or processes.

While the connections recover immediately after the attack, repeated exploitation could lead to persistent operational challenges.

Compliance Impact

This vulnerability may impact compliance with common standards and regulations in the following ways:

  • Industrial control system (ICS) standards: The vulnerability could affect compliance with standards like IEC 62443, which emphasizes the security of industrial automation and control systems. A DoS vulnerability may violate requirements for system availability and resilience.
  • GDPR: If the affected systems process or store personal data of EU citizens, a DoS attack could lead to temporary unavailability of services, potentially violating GDPR's requirements for data availability and integrity. However, GDPR primarily focuses on data protection rather than system availability, so the impact may be indirect.
  • HIPAA: For healthcare organizations using the affected modules in systems that handle protected health information (PHI), a DoS attack could disrupt access to critical systems. This may violate HIPAA's requirements for ensuring the availability and integrity of PHI.
  • NIST and other cybersecurity frameworks: The vulnerability may conflict with guidelines from frameworks like NIST SP 800-53 or the NIST Cybersecurity Framework, which emphasize protecting system availability and mitigating risks from denial-of-service attacks.

Organizations should assess whether this vulnerability introduces non-compliance risks based on their specific regulatory obligations and the role of the affected systems in their operations.

Detection Guidance

Detecting this vulnerability on your network or system involves monitoring for unusual CIP Implicit Connection packet traffic targeting Rockwell Automation 1756-EN2, 1756-EN3, or 1756-ENBT communication modules. Since the vulnerability is exploited by sending crafted packets, you can use network monitoring tools to inspect traffic for anomalies.

  • Use Wireshark or a similar packet analyzer to capture and filter CIP traffic. Look for malformed or unexpected CIP Implicit Connection packets sent to the affected modules.
  • Check logs on the affected communication modules for repeated connection disruptions or errors related to CIP packet processing.
  • Verify the firmware versions of your 1756-EN2, 1756-EN3, and 1756-ENBT modules. Vulnerable versions are V12.001 and earlier for 1756-EN2/EN3, and V6.006 and earlier for 1756-ENBT.

Example commands or tools to assist in detection:

  • For Wireshark: Apply a filter like 'cip' or 'eth.dst == [MAC address of the module]' to isolate relevant traffic.
  • For Linux-based systems, use tcpdump to capture traffic: 'tcpdump -i eth0 -w capture.pcap port 44818' (CIP typically uses port 44818).
  • Check module firmware versions via Rockwell Automation's Studio 5000 or RSLogix software, or through the module's web interface if available.
Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Upgrade the firmware of affected 1756-EN2, 1756-EN3, and 1756-ENBT communication modules to the corrected versions. For 1756-EN2 and 1756-EN3, upgrade to firmware version V12.002 or later. For 1756-ENBT, apply the available fix (though the product is discontinued).
  • If upgrading is not immediately possible, implement Rockwell Automation's security best practices to reduce exposure. This includes isolating the affected modules on a segmented network to limit access from untrusted sources.
  • Restrict network access to the affected modules using firewalls or access control lists (ACLs) to allow only trusted IP addresses or subnets.
  • Monitor network traffic for signs of exploitation, such as repeated disconnections or unusual CIP packet patterns targeting the modules.
  • Disable unnecessary services or ports on the modules to reduce the attack surface.
  • Review and apply any additional guidance provided in Rockwell Automation's security advisory (SD1780).

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart