CVE-2023-3595 CRITICAL

CVE-2023-3595: Rockwell Automation ControlLogix Communication Modules Vulnerable to Remote Code Execution

Vendor Rockwell Automation
Product 1756-EN2T Series A, B, C
Weakness CWE-787
Published July 12, 2023
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Where this vulnerability exists in the Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

Key dates

02Disclosure timeline

July 12, 2023 CVE published
August 2, 2024 Record updated