Cyber Resilience

CVE-2025-9283

HighDDoS

Published: 20 January 2026

Published
20 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 40.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-9283 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rockwellautomation Armorstart Lt Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9283 is a denial-of-service vulnerability in ArmorStart® LT, a Rockwell Automation industrial device. The issue, classified under CWE-400 (Uncontrolled Resource Consumption), causes the device to reboot unexpectedly when subjected to Achilles EtherNet/IP Step Limits Storms tests. This reboot disrupts the Link State Monitor, taking it offline for several seconds. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending crafted EtherNet/IP Step Limits Storms test packets, the attacker triggers the device reboot, resulting in a temporary denial-of-service condition that affects the Link State Monitor and potentially disrupts industrial control operations relying on the device.

The Rockwell Automation security advisory (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html) provides guidance on mitigation for this vulnerability.

EU & UK References

Vulnerability details

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly describes remote exploitation of an application-layer flaw (EtherNet/IP handling) that triggers system reboot and temporary loss of availability, matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9464Same product: Rockwellautomation Armorstart Lt
CVE-2025-9278Same product: Rockwellautomation Armorstart Lt
CVE-2025-9466Same product: Rockwellautomation Armorstart Lt
CVE-2025-9465Same product: Rockwellautomation Armorstart Lt
CVE-2025-9280Same product: Rockwellautomation Armorstart Lt
CVE-2025-9279Same product: Rockwellautomation Armorstart Lt
CVE-2025-9282Same product: Rockwellautomation Armorstart Lt
CVE-2025-9281Same product: Rockwellautomation Armorstart Lt
CVE-2024-57076Shared CWE-400
CVE-2025-25293Shared CWE-400

Affected Assets

rockwellautomation
armorstart lt firmware
≤ 2.002

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly protects against denial-of-service events such as EtherNet/IP Step Limits Storms that trigger device reboots in ArmorStart LT.

prevent

Remediates the specific uncontrolled resource consumption flaw (CWE-400) in the device to prevent exploitation via crafted packets.

prevent

Monitors and controls network communications at boundaries to restrict or filter malicious EtherNet/IP traffic targeting the vulnerability.

References