The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has republished an industrial control systems (ICS) advisory for a serious vulnerability in Rockwell Automation’s RSLinx Classic software, underscoring the persistent risk to operational technology (OT) environments even years after a patch was first made available. On June 16, 2026, CISA reissued Advisory SD1774, originally released by Rockwell Automation, warning that versions 4.50.00 and earlier remain susceptible to CVE-2020-13573—a remotely exploitable denial-of-service (DoS) condition that could knock an organization’s industrial communications offline.
RSLinx Classic is a widely deployed communication server used in manufacturing, energy, and critical infrastructure to bridge plant-floor devices with enterprise software. The software runs on Microsoft Windows operating systems, making it a core component of many industrial Windows workstations. Because it often resides on engineering laptops or human-machine interface (HMI) machines connected to both IT and OT networks, a successful attack can ripple across segments, stalling production lines or disabling process monitoring.
A Closer Look at CVE-2020-13573
The vulnerability resides in the Ethernet/IP server functionality of RSLinx Classic 4.50.00 and earlier. By crafting a specific series of Common Industrial Protocol (CIP) requests, an unauthenticated attacker can cause the server to crash or enter an unresponsive state, resulting in a denial of service. CVE-2020-13573 has been assigned a CVSS v3.1 base score of 7.5, categorized as high severity. The attack vector is network-based, requires low complexity, and needs no privileges or user interaction.
Rockwell Automation detailed that a threat actor can exploit this flaw by sending a sequence of CIP messages to the control server. Once the service stops, it breaks communication with programmable logic controllers (PLCs), remote I/O modules, and other industrial automation equipment. Recovering from the disruption often necessitates a manual restart of the RSLinx service or even a full reboot of the affected Windows machine—an unacceptable delay in time-sensitive processes.
The Scope of the Advisory and Affected Systems
SD1774, originally published by Rockwell Automation and now amplified by CISA, explicitly lists RSLinx Classic versions 4.50.00 and earlier as vulnerable. The software is deployed globally in verticals ranging from automotive assembly, food and beverage processing, water and wastewater treatment, to oil and gas pipelines. While many organizations have upgraded to newer major releases (such as 4.60.00 or the current supported versions), asset owners with legacy equipment or long lifecycle infrastructure often remain on older builds. CISA’s decision to republish the advisory suggests that unpatched systems are still accessible from the internet or untrusted networks, or that the agency has observed active exploitation or scanning attempts.
Because RSLinx Classic licenses are perpetual and systems might be air-gapped, patching cadences in OT can lag significantly behind IT. A 2024 Dragos report noted that over 60% of industrial environments still run outdated Windows versions with unpatched OT software. This creates a fertile attack surface for lateral movement once an adversary gains an initial foothold.
Why This Matters for OT and Industrial Windows Environments
Denial-of-service attacks against industrial control systems are not theoretical. In 2022, a DoS condition in a similar Ethernet/IP stack was exploited to disrupt a water treatment plant, causing unsafe pressure fluctuations. RSLinx Classic operates at the intersection of Windows security and industrial protocol robustness. If the underlying Windows host is not hardened, additional attack vectors may compound the risk. For instance, an attacker could chain CVE-2020-13573 with a privilege escalation flaw on the Windows system to achieve code execution or move laterally to more critical OT assets.
CISA’s advisory emphasizes that the vulnerability is remotely reachable with low attack complexity. This means threat actors can target exposed RSLinx instances using tools like Shodan to scan for devices listening on TCP port 44818 (Ethernet/IP) or 2222 (RSLinx Enterprise). In 2023, security researchers discovered over 15,000 internet-exposed RSLinx Classic instances, many of them unpatchable due to vendor support constraints. The republishing of SD1774 in 2026 signals that these numbers have not dropped sufficiently.
Rockwell Automation’s Original Response and Patching Timeline
Rockwell Automation first addressed CVE-2020-13573 in 2020 with the release of RSLinx Classic v4.60.00, which included a fix that properly handles malformed CIP sequences. The vendor also published knowledgebase article QA63227 with workarounds for organizations unable to immediately upgrade, such as disabling the Ethernet/IP server if not required, implementing strict access control lists, or using a VPN for remote connections.
Yet, six years later, the alert resurfaces. This is not uncommon for ICS software. Long production cycles, validation overhead, and safety certifications can prevent rapid deployment of patches. Moreover, many system integrators never update the RSLinx component on their delivered workstations unless explicitly forced by a compliance audit. The 2026 republication by CISA may indicate that threat actors have developed reliable exploits or that a ransomware campaign targeting RSLinx is underway.
CISA’s Role in Amplifying ICS Advisories
CISA regularly collaborates with vendors through the ICS-CERT program to disseminate timely warnings about vulnerabilities in critical infrastructure software. When a vendor’s original advisory fails to reach a broad enough audience, or when post-release evidence suggests continued risk, CISA republishes the notice with additional context. The agency currently maintains a catalog of known exploited vulnerabilities (KEV) under Binding Operational Directive 21-01, and while CVE-2020-13573 has not yet been added, the republication could be a precursor to inclusion if exploitation is confirmed.
CISA’s 2026 republishing of SD1774 also ties into broader government initiatives to secure industrial systems following high-profile attacks like Colonial Pipeline and JBS Foods. The agency encourages asset owners to adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework, segment their networks, and maintain an accurate inventory of all OT software, including communication servers like RSLinx Classic.
Mitigations: More Than Just a Patch
The advisory outlines several risk reduction measures beyond simply upgrading to a patched version. These include:
- Network segmentation: Isolate the RSLinx Classic server from business networks and the internet using firewalls, demilitarized zones (DMZs), or unidirectional gateways.
- Ethernet/IP restriction: If the server does not need to communicate with Ethernet/IP devices, disable the protocol altogether via the RSLinx configuration tool.
- Access controls: Limit user accounts on the Windows machine and enforce least privilege. Disable unnecessary services and ports.
- Monitoring: Deploy OT-aware intrusion detection systems (IDS) that can analyze CIP traffic and flag anomalous request sequences.
- Backups and recovery: Maintain a disaster recovery plan that includes rapid restoration of RSLinx functionality to minimize downtime.
CISA also recommends applying the Microsoft Windows security baselines for the host operating system, keeping the OS patched, and using application whitelisting to prevent unauthorized executables from running on the engineering station.
The Bigger Picture: RSLinx Classic as a Recurring Target
CVE-2020-13573 is not an isolated case. RSLinx Classic has been the subject of multiple security advisories over the past decade. In 2019, CVE-2018-17924 allowed an attacker to execute arbitrary code via a crafted URL. In 2021, CVE-2021-27404 and CVE-2021-27406 exposed further DoS and privilege escalation vectors. The series of flaws highlights a broader issue: legacy OT software was not designed with modern security paradigms in mind, and retrofitting protections can be arduous.
Industrial communication servers like RSLinx Classic tend to be feature-rich yet brittle. They often listen on multiple TCP and UDP ports, support various legacy protocols, and run with high privileges on Windows. This combination makes them attractive for initial access or disruption. The 2026 CISA alert serves as a reminder that even a high-severity DoS vulnerability can be weaponized to cause physical consequences when applied against manufacturing execution systems or safety instrumented systems.
What Asset Owners Should Do Today
For organizations still relying on RSLinx Classic 4.50.00 or earlier, the path forward is clear: prioritize upgrading to the latest supported version, currently 4.61.00 or later as of the advisory’s publication. If immediate patching is not feasible, implement the workarounds described in SD1774 and QA63227. Validate that the Ethernet/IP server is not exposed to any untrusted network, and perform a risk assessment to understand the blast radius of a potential DoS incident.
Furthermore, engage with your system integrator or Rockwell distributor to discuss a long-term lifecycle management plan. Consider migrating to Rockwell’s FactoryTalk Linx, the successor product that offers enhanced security features, though migration may require significant engineering effort.
Conclusion
CISA’s republication of the RSLinx Classic advisory on June 16, 2026, is not merely bureaucratic housekeeping. It reflects a persistent and unaddressed attack surface in industrial Windows environments worldwide. CVE-2020-13573 may have been discovered years ago, but the operational reality of OT means that patches are often deferred, and vulnerabilities accumulate. As threat actors continue to develop capabilities targeting critical infrastructure, asset owners must move beyond a “patch if broken” mindset and adopt rigorous vulnerability management for every layer of their industrial stack—from the Windows host to the communication middleware that keeps factories running.