Skip to main content
CVE Vulnerability Database

CVE-2024-8626: CompactLogix 5380 Firmware DoS Vulnerability

CVE-2024-8626 is a memory leak denial-of-service vulnerability in Rockwell Automation CompactLogix 5380 firmware that causes complete system unavailability. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-8626 Overview

CVE-2024-8626 is a denial-of-service vulnerability affecting multiple Rockwell Automation Logix controllers and the 1756-EN4TR communication module. The flaw stems from a memory leak [CWE-401] combined with uncontrolled resource consumption [CWE-400] in the embedded web server. A remote, unauthenticated attacker can repeatedly trigger actions on specific web pages of the device, exhausting available memory until the controller becomes fully unavailable. Recovery requires a manual power cycle, which directly impacts operational technology (OT) availability in industrial environments.

Critical Impact

Successful exploitation renders Rockwell ControlLogix, CompactLogix, and GuardLogix controllers unresponsive, halting industrial processes until physical intervention restores the device.

Affected Products

  • Rockwell Automation CompactLogix 5380 and Compact GuardLogix 5380
  • Rockwell Automation CompactLogix 5480, ControlLogix 5580, and GuardLogix 5580
  • Rockwell Automation 1756-EN4TR communication module (firmware 3.002)

Discovery Timeline

  • 2024-10-08 - CVE-2024-8626 published to NVD
  • 2025-02-27 - Last updated in NVD database

Technical Details for CVE-2024-8626

Vulnerability Analysis

The affected Logix controllers and the 1756-EN4TR module expose an embedded HTTP server used for diagnostics and configuration. Certain web pages allocate memory on each request without releasing it after the operation completes. Repeated requests cause heap memory consumption to grow unbounded.

Once the firmware exhausts the available memory pool, the controller transitions to an unrecoverable state. Network communication, the user web interface, and runtime control functions become unresponsive. The device cannot self-recover and requires a power cycle to restore operation, producing a hard denial-of-service condition with direct safety and production consequences for industrial environments.

Root Cause

The root cause is improper release of allocated memory in handlers for specific web pages on the device, classified under [CWE-401] Missing Release of Memory after Effective Lifetime and [CWE-400] Uncontrolled Resource Consumption. Each request increases the resident memory footprint, leading to exhaustion over time or under attacker-driven volume.

Attack Vector

The attack vector is the network. An unauthenticated remote attacker with reachability to the controller's HTTP interface issues repeated requests against the vulnerable web pages. No user interaction or prior privilege is required. Because the embedded web server is often accessible across the OT network segment, lateral access from a compromised engineering workstation or jump host is a realistic exposure path.

No public exploit code or proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical details are described in the Rockwell Automation Security Advisory SD1706.

Detection Methods for CVE-2024-8626

Indicators of Compromise

  • Unresponsive controller web interface or loss of communication with the 1756-EN4TR module requiring a power cycle to restore.
  • Sustained or bursty HTTP/HTTPS requests from a single source targeting the device's embedded web server pages.
  • Controller logs or upstream monitoring showing progressive memory pressure followed by communication loss.

Detection Strategies

  • Monitor HTTP request rates and response anomalies against Logix controller and EN4TR management interfaces using OT-aware network sensors.
  • Alert on repeated requests to controller web pages from non-engineering hosts or outside maintenance windows.
  • Correlate ICS asset availability telemetry with network traffic volume to identify resource-exhaustion patterns.

Monitoring Recommendations

  • Baseline normal management traffic to Logix devices and trigger alerts on deviations in request volume or source.
  • Forward firmware and network telemetry to a centralized SIEM or data lake for cross-asset correlation.
  • Track controller uptime and unscheduled power cycles as a primary availability indicator.

How to Mitigate CVE-2024-8626

Immediate Actions Required

  • Apply the firmware updates listed in Rockwell Automation Advisory SD1706 for all affected CompactLogix, ControlLogix, GuardLogix, and 1756-EN4TR products.
  • Restrict network reachability to the controller web interface to authorized engineering workstations only.
  • Inventory exposed Logix devices and verify none are reachable from corporate or internet-facing networks.

Patch Information

Rockwell Automation has published fixed firmware versions in Security Advisory SD1706. Asset owners should consult the advisory for the exact remediated firmware revisions corresponding to each controller family and schedule updates through standard change-control procedures.

Workarounds

  • Disable the embedded web server on affected controllers where operational requirements permit.
  • Enforce network segmentation between IT and OT zones in line with ISA/IEC 62443 to limit attacker reachability.
  • Apply strict access control lists (ACLs) on switches and firewalls to permit only authorized engineering hosts to reach controller management ports.
  • Place affected devices behind an industrial DMZ and require jump-host access for any web interface interaction.
bash
# Example firewall ACL restricting HTTP/HTTPS access to Logix controllers
# Permit only the engineering workstation subnet
access-list 110 permit tcp 10.10.20.0 0.0.0.255 host 10.50.1.10 eq 80
access-list 110 permit tcp 10.10.20.0 0.0.0.255 host 10.50.1.10 eq 443
access-list 110 deny tcp any host 10.50.1.10 eq 80
access-list 110 deny tcp any host 10.50.1.10 eq 443

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.