CVE-2025-9283
Published: 20 January 2026
Summary
CVE-2025-9283 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rockwellautomation Armorstart Lt Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-9283 is a denial-of-service vulnerability in ArmorStart® LT, a Rockwell Automation industrial device. The issue, classified under CWE-400 (Uncontrolled Resource Consumption), causes the device to reboot unexpectedly when subjected to Achilles EtherNet/IP Step Limits Storms tests. This reboot disrupts the Link State Monitor, taking it offline for several seconds. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending crafted EtherNet/IP Step Limits Storms test packets, the attacker triggers the device reboot, resulting in a temporary denial-of-service condition that affects the Link State Monitor and potentially disrupts industrial control operations relying on the device.
The Rockwell Automation security advisory (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html) provides guidance on mitigation for this vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3427
Vulnerability details
A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes remote exploitation of an application-layer flaw (EtherNet/IP handling) that triggers system reboot and temporary loss of availability, matching T1499.004 Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against denial-of-service events such as EtherNet/IP Step Limits Storms that trigger device reboots in ArmorStart LT.
Remediates the specific uncontrolled resource consumption flaw (CWE-400) in the device to prevent exploitation via crafted packets.
Monitors and controls network communications at boundaries to restrict or filter malicious EtherNet/IP traffic targeting the vulnerability.