A security issue exists within CompactLogix® 5380, ControlLogix® 5580, and EN4 communication modules related to CIP Security certificate revocation handling. The security issue stems from the controller failing to properly reject certificates signed by an intermediate certificate that has been revoked via a Certificate Revocation List (CRL). This could allow a network-based attacker to establish a connection using a certificate that should be untrusted, potentially bypassing CIP Security protections.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

Upgrade to firmware version 38.011 or later. For 1756-EN4TR upgrade to version 8.001 or later.


Workaround

No workaround given by the vendor.

History

Tue, 14 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description A security issue exists within CompactLogix® 5380, ControlLogix® 5580, and EN4 communication modules related to CIP Security certificate revocation handling. The security issue stems from the controller failing to properly reject certificates signed by an intermediate certificate that has been revoked via a Certificate Revocation List (CRL). This could allow a network-based attacker to establish a connection using a certificate that should be untrusted, potentially bypassing CIP Security protections.
Title Rockwell Automation CompactLogix® 5380 ControlLogix® 5580 / 1756-EN4 Communications Module – Certificate Revocation List Vulnerability
Weaknesses CWE-299
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Rockwell

Published:

Updated: 2026-07-14T15:55:05.004Z

Reserved: 2026-05-26T18:10:55.329Z

Link: CVE-2026-9636

cve-icon Vulnrichment

Updated: 2026-07-14T15:55:00.563Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses