The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3493

CVE-2024-3493: Rockwell ControlLogix 5580 DoS Vulnerability

CVE-2024-3493 is a denial-of-service flaw in Rockwell Automation ControlLogix 5580 firmware caused by malformed fragmented packets. This vulnerability triggers system faults requiring manual restart. This post covers technical details, affected versions, impact, and mitigation strategies.

Updated: January 22, 2026

CVE-2024-3493 Overview

CVE-2024-3493 is a denial of service vulnerability affecting multiple Rockwell Automation programmable logic controllers (PLCs) and communication modules. A specific malformed fragmented packet type can cause a Major Non-Recoverable Fault (MNRF) in affected industrial control systems, rendering them unavailable until a manual restart is performed.

This vulnerability is particularly concerning in industrial control system (ICS) and operational technology (OT) environments where PLCs control critical manufacturing processes, safety systems, and industrial automation. The affected devices include ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, Compact GuardLogix 5380, CompactLogix 5480, ControlLogix 5580 Process, CompactLogix 5380 Process, and the 1756-EN4TR communication module.

Critical Impact

Exploitation causes a Major Non-Recoverable Fault (MNRF) requiring manual device restart, potentially resulting in loss of view and control of connected industrial devices and processes.

Affected Products

  • Rockwell Automation ControlLogix 5580 (Firmware version 35.011)
  • Rockwell Automation GuardLogix 5580 (Firmware version 35.011)
  • Rockwell Automation CompactLogix 5380 (Firmware version 35.011)
  • Rockwell Automation Compact GuardLogix 5380 (Firmware version 35.011)
  • Rockwell Automation CompactLogix 5480 (Firmware version 35.011)
  • Rockwell Automation ControlLogix 5580 Process (Firmware version 35.011)
  • Rockwell Automation CompactLogix 5380 Process (Firmware version 35.011)
  • Rockwell Automation 1756-EN4TR (Firmware version 5.001)

Discovery Timeline

  • April 15, 2024 - CVE-2024-3493 published to NVD
  • March 4, 2025 - Last updated in NVD database

Technical Details for CVE-2024-3493

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-20) in the network packet handling routines of affected Rockwell Automation devices. The affected PLCs fail to properly validate and handle malformed fragmented network packets, leading to a critical system fault condition.

When these industrial controllers receive specific malformed fragmented packets—which can be generated automatically by devices transmitting large amounts of data—the firmware's packet reassembly mechanism triggers a Major Non-Recoverable Fault (MNRF). This represents one of the most severe fault conditions in Rockwell Automation PLCs, as MNRF events cannot be cleared through software commands and require physical power cycling of the device.

The network-accessible nature of this vulnerability allows remote, unauthenticated attackers to cause denial of service conditions against critical industrial infrastructure without requiring any privileges or user interaction.

Root Cause

The root cause is classified as improper input validation (CWE-20) in the network stack's fragmented packet handling routines. The firmware fails to properly sanitize or validate incoming fragmented packets before processing them, allowing malformed packet structures to trigger an unrecoverable fault state in the controller's execution environment.

Industrial PLCs like the ControlLogix and CompactLogix families rely on EtherNet/IP protocol communications, which support packet fragmentation for large data transfers. The vulnerability exists in how the firmware processes reassembly of these fragmented packets when they contain malformed or unexpected data structures.

Attack Vector

The attack can be executed remotely over the network without authentication. An attacker with network access to the affected devices can craft and send malformed fragmented packets to trigger the vulnerability. The attack characteristics include:

  • Network-based exploitation: Attackers can target devices from anywhere with network connectivity to the PLC
  • No authentication required: The vulnerability can be triggered without valid credentials
  • No user interaction needed: The attack executes automatically upon packet receipt
  • Automatic generation potential: Malformed packets may be generated inadvertently by legitimate devices sending large data volumes

The vulnerability primarily impacts availability, causing complete denial of service to the affected controller and potentially disrupting all connected industrial processes and safety systems.

Detection Methods for CVE-2024-3493

Indicators of Compromise

  • Unexpected Major Non-Recoverable Fault (MNRF) events on affected ControlLogix, GuardLogix, or CompactLogix controllers
  • Controller fault logs indicating network-related exceptions prior to MNRF
  • Unusual fragmented packet traffic patterns targeting affected devices on EtherNet/IP ports
  • Multiple devices in an environment experiencing simultaneous MNRF events

Detection Strategies

  • Monitor industrial network traffic for malformed or abnormally fragmented EtherNet/IP packets targeting PLCs
  • Implement network intrusion detection rules to identify anomalous packet fragmentation patterns
  • Configure SIEM correlation rules to alert on MNRF fault events across multiple controllers
  • Deploy deep packet inspection at network boundaries to analyze industrial protocol traffic

Monitoring Recommendations

  • Enable detailed logging on industrial firewalls and network infrastructure protecting PLC networks
  • Monitor controller fault status through HMI/SCADA systems for early detection of MNRF conditions
  • Implement network traffic baselining to identify anomalous communication patterns with affected devices
  • Configure automated alerts for any MNRF events reported by affected Rockwell Automation controllers

How to Mitigate CVE-2024-3493

Immediate Actions Required

  • Review the Rockwell Automation Security Advisory SD1666 for specific patch and firmware update information
  • Implement network segmentation to isolate affected PLCs from untrusted network segments
  • Configure industrial firewalls to restrict network access to affected controllers to only authorized systems
  • Develop and test incident response procedures for rapid recovery from MNRF events

Patch Information

Rockwell Automation has released firmware updates to address this vulnerability. Organizations should consult the official Rockwell Automation Security Advisory SD1666 for specific version information and download instructions. Given the critical nature of industrial control systems, firmware updates should be carefully planned and tested in non-production environments before deployment to production systems.

Affected firmware versions include:

  • ControlLogix 5580/GuardLogix 5580/CompactLogix 5380/Compact GuardLogix 5380/CompactLogix 5480 series: Firmware 35.011
  • 1756-EN4TR communication module: Firmware 5.001

Workarounds

  • Implement strict network segmentation using industrial DMZ architectures to limit network exposure of affected PLCs
  • Deploy application-layer firewalls capable of inspecting EtherNet/IP protocol traffic and filtering malformed packets
  • Restrict network access to affected devices to only essential systems using access control lists (ACLs)
  • Consider implementing redundant controller configurations where feasible to maintain operations during potential attacks
  • Establish manual restart procedures and train operations personnel on rapid recovery from MNRF events

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechRockwellautomation
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.08%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-20
  • NVD-CWE-noinfo
  • Technical References
  • Rockwell Automation Security Advisory
  • Related CVEs
  • CVE-2024-21916: ControlLogix 5570 Controller DoS Vulnerability
  • CVE-2023-3596: Rockwell Automation 1756-EN4TR DoS Flaw
  • CVE-2022-1797: Rockwell CompactLogix 5380 DoS Vulnerability
  • CVE-2025-7328: Rockwell Automation NATR Auth Bypass Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English