cbcvebase.
CVE-2023-3595
published 2023-07-12

CVE-2023-3595: Where this vulnerability exists in the Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products, it could allow a malicious user to…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.64%
88.2th percentile
Where this vulnerability exists in the Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

Affected

14 ranges
VendorProductVersion rangeFixed in
rockwell_auotmation1756-en2tpxt_series_a
rockwell_automation1756-en2f_series_c
rockwell_automation1756-en2fk_series_c
rockwell_automation1756-en2t_series_d
rockwell_automation1756-en2tp_series_a
rockwell_automation1756-en2tpk_series_a
rockwell_automation1756-en2tr_series_c
rockwell_automation1756-en2trk_series_c
rockwell_automation1756-en2trxt_series_c
rockwell_automation1756-en2txt_series_d
rockwell_automation1756-en3tr_series_a
rockwell_automation1756-en3tr_series_b
rockwell_automation1756-en3trk_series_a
rockwell_automation1756-en3trk_series_b

Detection & IOCsextracted from sources · hover to see the quote

snort
Snort signatures for anomalous CIP packets to Rockwell Automation devices (see Rockwell Automation Security Advisory)
  • Detect exploitation attempts by monitoring for maliciously crafted CIP messages targeting Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication modules; exploitation enables RCE with persistence including data modification, denial, and exfiltration.
  • Use the 'ENIP CIP Unusual Lengths' detection to identify possible exploitation of CVE-2023-3595 and CVE-2023-3596 against Rockwell Automation ControlLogix controllers via anomalous EtherNet/IP CIP packet lengths.
  • Passive monitoring of ICS network traffic (e.g., at DMZ, core switches, entry/egress points) can identify active exploitation of CVE-2023-3595 via anomalous CIP protocol behavior.
  • Attribution context: these vulnerabilities were disclosed in coordination with the U.S. government citing a novel exploit capability attributed to APT actors known for cyberactivity involving industrial systems, with possible intent to target critical infrastructure worldwide.
  • ·Once a module is updated to signed firmware, it cannot be reverted to unsigned firmware versions — plan upgrades accordingly.
  • ·Traditional IT vulnerability scanners will not discover nested/indirectly connected ControlLogix assets; CIP-aware active scanning is required for full asset visibility in ICS environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.