Cyber Resilience

CVE-2025-9466

HighDDoS

Published: 20 January 2026

Published
20 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 42.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-9466 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rockwellautomation Armorstart Lt Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9466 is a vulnerability in ArmorStart® LT that can trigger a denial-of-service condition. The issue manifests during execution of Achilles EtherNet/IP and CIP grammar tests, causing the device to reboot unexpectedly and the Link State Monitor to go offline for several seconds. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-400 (Uncontrolled Resource Consumption).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in a temporary denial of service, as the targeted device reboots and its Link State Monitor becomes unavailable for several seconds.

Rockwell Automation's security advisory (SD1768) at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html provides details on mitigation steps for this vulnerability.

EU & UK References

Vulnerability details

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of uncontrolled resource consumption (CWE-400) directly triggers device reboot and temporary service unavailability, matching Application or System Exploitation for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9283Same product: Rockwellautomation Armorstart Lt
CVE-2025-9464Same product: Rockwellautomation Armorstart Lt
CVE-2025-9278Same product: Rockwellautomation Armorstart Lt
CVE-2025-9465Same product: Rockwellautomation Armorstart Lt
CVE-2025-9280Same product: Rockwellautomation Armorstart Lt
CVE-2025-9279Same product: Rockwellautomation Armorstart Lt
CVE-2025-9282Same product: Rockwellautomation Armorstart Lt
CVE-2025-9281Same product: Rockwellautomation Armorstart Lt
CVE-2024-57076Shared CWE-400
CVE-2025-25293Shared CWE-400

Affected Assets

rockwellautomation
armorstart lt firmware
≤ 2.002

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in ArmorStart LT causing uncontrolled resource consumption and reboots during EtherNet/IP and CIP grammar tests.

prevent

Implements denial-of-service protections to mitigate network-based resource exhaustion attacks triggering device reboots.

prevent

Enforces boundary protection to monitor and control EtherNet/IP and CIP traffic, blocking malformed packets that exploit the vulnerability.

References