Rockwell Automation and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are urging immediate action after the disclosure of a high-severity denial-of-service vulnerability affecting three families of ControlLogix EtherNet/IP communication modules. The flaw tracked as CVE-2026-9653, allows any attacker with network access to disrupt device connections by sending specially crafted packets—and while newer hardware can be patched, one commonly deployed model is officially a dead end.
What Just Happened
On July 16, 2026, CISA released advisory ICSA-26-197-02, detailing CVE-2026-9653. The vulnerability stems from improper validation of CIP Implicit Connection packets in specific Rockwell Automation communication modules. An attacker on the same network segment can continuously reset device connections, creating a denial-of-service condition that can interfere with industrial processes.
The advisory covers three product lines:
- 1756-EN3 (firmware version V12.001 and earlier)
- 1756-EN2 (firmware version V12.001 and earlier)
- 1756-ENBT (firmware version V6.006, a discontinued product)
For the EN2 and EN3 modules, Rockwell has released firmware version V12.002, which eliminates the vulnerability. The ENBT, however, has no vendor fix because the product is no longer supported.
The vulnerability carries a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 score of 8.7. The attack vector is network-based, requires no privileges or user interaction, and has low attack complexity. The sole impact is on availability—there is no risk of data theft, controller manipulation, or process-value alteration.
What It Means for You
If your organization uses Rockwell ControlLogix systems, this is a "patch-or-plan" moment. The urgency depends on exactly which modules you have installed and how they are networked.
For plant engineers and OT administrators
The biggest headache is determining which modules are affected. Asset inventories often list “ControlLogix” without specifying the exact module type or firmware revision. You need to dig deeper. A EN2 or EN3 module running firmware older than V12.002 is a straightforward fix—schedule a firmware upgrade. An ENBT is a different story. No patch will ever ship, so you must either replace the hardware or lock it down to an extreme degree.
Because the exploit requires only network access, any unpatched module on a flat production network or one with insufficient segmentation is a sitting duck. Even if connections recover automatically, repeated attacks can degrade performance enough to trigger process alarms, cause batch failures, or, in the worst case, lead to unsafe conditions if the module sits in a critical control loop.
For IT teams supporting manufacturing
You may not own the OT assets, but you often manage the networks they sit on. This advisory is a reminder that OT vulnerability management doesn’t end with a Windows patch cycle. Work with your manufacturing counterparts to identify exposed devices and review network topology. Instantly patching a Windows workstation is normal; firmware updates on a running production line require planning.
For security analysts
CISA reports no known public exploitation at this time. However, a High-severity network-based DoS with no prerequisites is exactly the kind of flaw that gets weaponized once reverse engineers publish proof-of-concept code. If you have affected modules, treat this with the same priority as a remote code execution vulnerability—availability is the heartbeat of OT.
How We Got Here
Rockwell’s ControlLogix platform is a cornerstone of industrial automation, used worldwide in critical manufacturing sectors such as automotive, food and beverage, pharmaceuticals, and energy. The 1756-EN2, EN3, and ENBT modules handle EtherNet/IP communication, bridging programmable logic controllers (PLCs) to the broader network for configuration, monitoring, and inter-device chatter.
The vulnerability was discovered by Tyler Lentz of Idaho National Laboratory and responsibly disclosed to CISA. The root cause lies in how the modules validate the integrity of incoming CIP Implicit Connection packets. Without proper checks, a malformed packet can force the device to drop its connections and reestablish them—something that happens instantly but, when repeated, amounts to a persistent jitter or outright outage.
The split remediation paths highlight a common industrial dilemma: hardware outlasts its vendor support. The ENBT was discontinued years ago, yet many facilities still rely on it because “if it ain’t broke, don’t fix it.” This advisory makes that approach untenable if the module sits anywhere a malicious actor might reach.
What to Do Now
CISA’s advisory and Rockwell’s guidance offer a clear priority list. Treat these actions as a checklist, but always run them through your own OT change management process.
1. Identify and patch the easy wins
For any 1756-EN2 or 1756-EN3 module running firmware V12.001 or older:
- Confirm the exact model and firmware version via Rockwell’s RSLinx or Studio 5000 software.
- Download firmware V12.002 from the Rockwell Automation Product Compatibility and Download Center (requires a valid TechConnect contract).
- Schedule a maintenance window. Flash the firmware using ControlFLASH or the integrated update tool, following Rockwell’s documented procedure.
- After the update, verify the new firmware version and test basic communication to ensure no functional regression.
2. Isolate or replace the unfixable
For any 1756-ENBT module:
- Document each device’s location, network segment, and process criticality.
- Immediately restrict network access. Use ACLs on managed switches, air-gap the module entirely if feasible, or at minimum ensure it is not reachable from the business network or internet.
- Initiate a hardware refresh project. The ENBT has no migration path to a patchable state, so plan a replacement with a supported module (e.g., 1756-EN2TR or EN3TR, depending on your architecture needs).
- Do not treat this as an indefinite risk acceptance. Set a firm replacement deadline and assign ownership.
3. Review your network architecture
Even after patching, take this opportunity to strengthen segmentation:
- Separate the OT network from IT and internet-facing systems.
- Disable unused Ethernet ports on managed switches.
- Use firewalls to restrict traffic between production cells, allowing only necessary EtherNet/IP and engineering protocols.
- For remote access, require VPNs with multi-factor authentication and limit access to specific engineering workstations.
4. Audit your asset inventory
If you struggled to find affected modules, your OT asset management needs work. A vulnerability like this should be resolved by querying a database, not by walking the plant floor with a laptop. Invest in an OT-aware asset discovery tool that can poll Rockwell devices for make, model, and firmware version without disrupting operations.
Outlook
The immediate patch for EN2 and EN3 modules closes the door on CVE-2026-9653 for most environments. The long-term challenge, however, is the ENBT. As Rockwell and other vendors inevitably end support for older hardware, industrial organizations must mature their lifecycle governance. A discontinued product with a known security flaw is not just a maintenance nuisance; it’s an active risk that demands a funded replacement plan.
On the threat landscape side, while no exploits have been found in the wild, the window is open. Proof-of-concept code for ICS vulnerabilities often appears within weeks of a disclosure. OT security teams should monitor threat intelligence feeds and CISA alerts for any sign of active exploitation.
Finally, this advisory underscores a paradox of industrial cybersecurity: the most disruptive flaws are sometimes the simplest. A network-reachable DoS doesn’t rewrite your logic or steal your recipes, but it can stop production just as effectively. Patch what you can, replace what you can’t, and keep your critical communications off the menu.