What is CVE-2025-7353 and which Rockwell Automation products does it affect?

CVE-2025-7353 is a critical security vulnerability with a CVSS score of 9.8 affecting multiple Rockwell Automation ControlLogix Ethernet communication modules. The vulnerability could enable remote attackers to execute arbitrary code on industrial control systems.

Which specific ControlLogix Ethernet modules are vulnerable to CVE-2025-7353?

The vulnerable ControlLogix Ethernet modules running firmware version 11.004 and prior include: 1756-EN2T/D, 1756-EN2F/C, 1756-EN2TR/C, 1756-EN3TR/B, and 1756-EN2TP/A.

What is the CVSS score for CVE-2025-7353?

CVE-2025-7353 has a CVSS score of 9.8, indicating it is a critical severity vulnerability that poses an extremely high risk to affected industrial control systems.

What is the WDB agent and why is it dangerous in this context?

The WDB (web-based debugger) agent is a debugging tool that remains enabled by default on production devices. This creates a security risk because attackers can connect to it using specific IP addresses to perform unauthorized memory operations on industrial control systems.

Why is CVE-2025-7353 particularly concerning for industrial environments?

This vulnerability is particularly concerning because it affects industrial control systems that manage critical infrastructure and manufacturing processes. Successful exploitation could allow attackers to disrupt industrial operations, manipulate control systems, or cause safety incidents.

What should operators verify before upgrading firmware for CVE-2025-7353?

Operators should verify the required firmware revision on the product-specific vendor advisory before upgrading, as firmware revisions are product- and series-specific for different ControlLogix Ethernet modules.

What network security measures can help protect against CVE-2025-7353?

Network security measures that can help protect against this vulnerability include implementing network segmentation to isolate industrial control systems, deploying access control lists to restrict network access, and using intrusion detection systems to monitor for suspicious activity.

Can attackers exploit CVE-2025-7353 remotely?

Yes, CVE-2025-7353 can be exploited remotely. Attackers can connect to the vulnerable WDB agent using specific IP addresses to perform unauthorized memory operations and potentially execute arbitrary code on the industrial control systems.

What type of memory operations can attackers perform through CVE-2025-7353?

Through CVE-2025-7353, attackers can perform various unauthorized memory operations including memory dumps (reading system memory), direct memory modification (changing values in memory), and manipulation of execution flow control (altering how programs run).

What is the impact of having a web-based debugger enabled on production systems?

Having a web-based debugger enabled on production industrial control systems creates a significant security risk, as it provides a pathway for attackers to access and manipulate critical system functions that should only be available during development and testing phases, not in live production environments.

Advisory

Remote code execution flaw reported in Rockwell Automation ControlLogix ethernet modules

Q: What causes the CVE-2025-7353 vulnerability in Rockwell Automation systems?

The vulnerability is caused by insecure default configuration where a web-based debugger (WDB) agent remains enabled on production devices. When attackers connect to the WDB agent using specific IP addresses, they can perform unauthorized memory operations.

Q: What can attackers accomplish by exploiting CVE-2025-7353?

Attackers can perform unauthorized memory operations including memory dumps, direct memory modification, and manipulation of execution flow control, potentially leading to arbitrary code execution on industrial control systems.

published: Aug. 18, 2025

Take action: If you have Rockwell ControlLogix Ethernet modules (1756-EN2T/D, 1756-EN2F/C, 1756-EN2TR/C, 1756-EN3TR/B, 1756-EN2TP/A) make sure it's isolated from the internet and accessible only from trusted networks. Then check the firmware version. If it's 11.004 or earlier, plan an update to firmware version 12.001. If an attacker manages to reach the device, they will attack it.

Learn More

Rockwell Automation is reporting a critical security vulnerability affecting multiple ControlLogix Ethernet communication modules that could enable remote attackers to execute arbitrary code on industrial control systems.

The vulnerability is tracked as CVE-2025-7353 (CVSS score 9.8) and is caused by insecure default configuration where a web-based debugger (WDB) agent remains enabled on production devices. When attackers connect to the WDB agent using specific IP addresses, they can perform unauthorized memory operations, including memory dumps, direct memory modification, and manipulation of execution flow control.

The following ControlLogix Ethernet modules running firmware version 11.004 and prior are vulnerable:

1756-EN2T/D
1756-EN2F/C
1756-EN2TR/C
1756-EN3TR/B
1756-EN2TP/A

Rockwell Automation strongly recommends that ControlLogix Ethernet Module users update to Version 12.001 if possible. Firmware revisions are product- and series-specific, and operators are advised to verify the required revision on the product-specific vendor advisory before upgrading. For environments where immediate patching is not possible, organizations are advised to implement mitigating measures like network segmentation, access control lists, and intrusion detection systems.

Remote code execution flaw reported in Rockwell Automation ControlLogix ethernet modules

Read More
Rockwell Automation patches two critical vulnerabilities in Pavilion8
Multiple vulnerabilities reported in Hikvision HikCentral products
Siemens released patches for over 270 vulnerabilities
Critical command injection flaw reported in Veeder-Root TLS4B …
Critical vulnerability reported in Siemens SIMATIC Virtualization Service