Cyber Resilience

CVE-2025-9282

HighDDoS

Published: 20 January 2026

Published
20 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-9282 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rockwellautomation Armorstart Lt Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-9282 is a denial-of-service vulnerability affecting ArmorStart® LT devices from Rockwell Automation. The issue manifests during execution of Achilles Comprehensive limited storm tests, where the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. It is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

The vulnerability is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation triggers an unexpected reboot of the ArmorStart® LT device, disrupting the Link State Monitor and leading to a temporary denial-of-service condition, while confidentiality and integrity remain unaffected.

Mitigation details are provided in the Rockwell Automation security advisory available at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html.

EU & UK References

Vulnerability details

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of resource exhaustion leading to device reboot/DoS directly maps to public-facing app exploitation and application/system exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9283Same product: Rockwellautomation Armorstart Lt
CVE-2025-9464Same product: Rockwellautomation Armorstart Lt
CVE-2025-9278Same product: Rockwellautomation Armorstart Lt
CVE-2025-9466Same product: Rockwellautomation Armorstart Lt
CVE-2025-9465Same product: Rockwellautomation Armorstart Lt
CVE-2025-9280Same product: Rockwellautomation Armorstart Lt
CVE-2025-9279Same product: Rockwellautomation Armorstart Lt
CVE-2025-9281Same product: Rockwellautomation Armorstart Lt
CVE-2026-25667Shared CWE-400
CVE-2025-70886Shared CWE-400

Affected Assets

rockwellautomation
armorstart lt firmware
≤ 2.002

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements protections against denial-of-service attacks, including network floods like the Achilles storm tests that cause unexpected reboots in ArmorStart LT devices.

prevent

Ensures resource availability by monitoring and controlling resource consumption, mitigating the uncontrolled resource exhaustion (CWE-400) that triggers device reboots.

prevent

Provides for timely flaw remediation, such as applying Rockwell Automation patches, to eliminate the specific vulnerability exploited by network storm tests.

References