Cyber Resilience

CVE-2025-9465

HighDDoS

Published: 20 January 2026

Published
20 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-9465 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rockwellautomation Armorstart Lt Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-9465 is a denial-of-service vulnerability affecting ArmorStart® LT devices. The issue manifests as an unexpected device reboot during execution of the Achilles Comprehensive grammar tests, causing the Link State Monitor to go down for several seconds. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-400 (Uncontrolled Resource Consumption).

A network-accessible attacker requires no privileges or user interaction and can exploit the vulnerability with low attack complexity. Successful exploitation results in a high-impact availability disruption, specifically a temporary denial-of-service condition from the device reboot.

Mitigation guidance is available in the Rockwell Automation security advisory at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html.

EU & UK References

Vulnerability details

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote exploitation causing device reboot and temporary DoS, matching application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9283Same product: Rockwellautomation Armorstart Lt
CVE-2025-9464Same product: Rockwellautomation Armorstart Lt
CVE-2025-9278Same product: Rockwellautomation Armorstart Lt
CVE-2025-9466Same product: Rockwellautomation Armorstart Lt
CVE-2025-9280Same product: Rockwellautomation Armorstart Lt
CVE-2025-9279Same product: Rockwellautomation Armorstart Lt
CVE-2025-9282Same product: Rockwellautomation Armorstart Lt
CVE-2025-9281Same product: Rockwellautomation Armorstart Lt
CVE-2024-57076Shared CWE-400
CVE-2025-25293Shared CWE-400

Affected Assets

rockwellautomation
armorstart lt firmware
≤ 2.002

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 enforces denial-of-service protections that directly mitigate the network-accessible resource exhaustion attack causing device reboot in this CVE.

prevent

SC-6 protects resource availability against uncontrolled consumption (CWE-400) exploited to trigger the unexpected reboot and service disruption.

prevent

SI-2 ensures timely flaw remediation via vendor patches as provided in the Rockwell Automation advisory for this specific vulnerability.

References