cbcvebase.
CVE-2016-0868
published 2016-01-28

CVE-2016-0868: Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15.000 and B before 15.002 allows remote attackers to…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.62%
93.0th percentile
Stack-based buffer overflow on Rockwell Automation Allen-Bradley MicroLogix 1100 devices A through 15.000 and B before 15.002 allows remote attackers to execute arbitrary code via a crafted web request.

Affected

8 ranges
VendorProductVersion rangeFixed in
rockwellautomation1763-l16awa_series_a
rockwellautomation1763-l16awa_series_b
rockwellautomation1763-l16bbb_series_a
rockwellautomation1763-l16bbb_series_b
rockwellautomation1763-l16bwa_series_a
rockwellautomation1763-l16bwa_series_b
rockwellautomation1763-l16dwd_series_a
rockwellautomation1763-l16dwd_series_b

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by a malicious HTTP web request to the Allen-Bradley MicroLogix 1100 device's built-in web server, causing a stack-based buffer overflow. Detect anomalous or oversized HTTP requests directed at MicroLogix 1100 devices on the network.
  • The MicroLogix 1100 web server is enabled by default. Identify any MicroLogix 1100 devices (models 1763-L16AWA, 1763-L16BBB, 1763-L16BWA, 1763-L16DWD) running firmware version 15.000 or prior that are reachable via HTTP — these are unpatched and exploitable.
  • Monitor for unexpected outbound connections or code execution artifacts originating from MicroLogix 1100 PLCs, which may indicate successful exploitation and arbitrary code execution.
  • ·Series A hardware (1763-L16AWA/BBB/BWA/DWD Series A) is NOT patched by the firmware update — only Series B is addressed in firmware Version 15.002. Series A devices remain permanently vulnerable and require compensating controls.
  • ·No known public exploits existed at time of advisory publication, but the attacker skill required is rated low, meaning exploitation is accessible to unsophisticated threat actors.
  • ·The attack vector is network-accessible with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N), meaning any host that can reach the device's web server can attempt exploitation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.