CVE-2017-7898

Q: What is the severity of CVE-2017-7898?

CVE-2017-7898 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to perform unlimited password guessing attempts on Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 programmable logic controllers (PLCs). There are no lockout mechanisms or penalties for incorrect password entries, enabling brute-force attacks. Organizations using these specific PLC models with versions 16.00 and earlier are affected.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to perform unlimited password guessing attempts on Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 programmable logic controllers (PLCs). There are no lockout mechanisms or penalties for incorrect password entries, enabling brute-force attacks. Organizations using these specific PLC models with versions 16.00 and earlier are affected.

💻 Affected Systems

Products:

Rockwell Automation Allen-Bradley MicroLogix 1100 (1763-L16AWA, 1763-L16BBB, 1763-L16BWA, 1763-L16DWD)
Rockwell Automation Allen-Bradley MicroLogix 1400 (1766-L32AWA, 1766-L32BWA, 1766-L32BWAA, 1766-L32BXB, 1766-L32BXBA, 1766-L32AWAA)

Versions: Version 16.00 and all prior versions

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All Series A and B models are affected. This is a firmware-level vulnerability in the authentication mechanism.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to unauthorized control of manufacturing processes, equipment damage, production shutdowns, or safety incidents.

🟠

Likely Case

Unauthorized access to PLC programming and configuration, allowing attackers to modify logic, disrupt operations, or establish persistence in industrial networks.

🟢

If Mitigated

Limited impact if PLCs are isolated behind firewalls with strict network segmentation and strong perimeter defenses.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can brute-force passwords remotely without restrictions.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this, though network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the PLC but no authentication. Attackers can use automated tools to brute-force passwords with unlimited attempts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 16.00 (with firmware updates addressing the issue) - check Rockwell Automation for specific patched versions

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04

Restart Required: Yes

Instructions:

1. Download firmware updates from Rockwell Automation's security advisory. 2. Follow vendor instructions to update PLC firmware to patched versions. 3. Test in a non-production environment first. 4. Apply updates during maintenance windows as PLC restart is required.

🔧 Temporary Workarounds

Network Segmentation and Access Control

all

Isolate PLCs in dedicated network segments with strict firewall rules to limit access only to authorized systems.

Strong Password Policy

all

Implement complex, unique passwords for each PLC to increase brute-force resistance despite unlimited attempts.

🧯 If You Can't Patch

Implement network-level controls: Use firewalls to restrict access to PLCs only from trusted IP addresses and networks.
Deploy intrusion detection systems (IDS) to monitor for brute-force attempts and anomalous access patterns to PLCs.

🔍 How to Verify

Check if Vulnerable:

Check PLC firmware version via Rockwell Automation programming software (RSLogix 500). If version is 16.00 or earlier on affected models, the system is vulnerable.

Check Version:

Use RSLogix 500 software to connect to PLC and check firmware version in controller properties.

Verify Fix Applied:

After updating firmware, verify the version shows as patched (post-16.00) and test that password lockout mechanisms are functioning.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from single IP addresses
Unusual access patterns to PLC programming ports

Network Indicators:

High volume of traffic to PLC port 44818 (EtherNet/IP) from unauthorized sources
Brute-force tool signatures in network traffic

SIEM Query:

source_ip="PLC_IP" AND (event_type="authentication_failure" COUNT > 10 WITHIN 1h)

📊 Metadata

CVE ID: CVE-2017-7898

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-307

Published: June 30, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securitytracker.com/id/1038546
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04 Patch,Third Party Advisory,US Government Resource
http://www.securitytracker.com/id/1038546
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04 Patch,Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

1763 L16awa Series A by Rockwellautomation

1763 L16awa Series B by Rockwellautomation

1763 L16bbb Series A by Rockwellautomation

1763 L16bbb Series B by Rockwellautomation

1763 L16bwa Series A by Rockwellautomation

1763 L16bwa Series B by Rockwellautomation

1763 L16dwd Series A by Rockwellautomation

1763 L16dwd Series B by Rockwellautomation

1766 L32awa Series A by Rockwellautomation

1766 L32awa Series B by Rockwellautomation

1766 L32awaa Series A by Rockwellautomation

1766 L32awaa Series B by Rockwellautomation

1766 L32bwa Series A by Rockwellautomation

1766 L32bwa Series B by Rockwellautomation

1766 L32bwaa Series A by Rockwellautomation

1766 L32bwaa Series B by Rockwellautomation

1766 L32bxb Series A by Rockwellautomation

1766 L32bxb Series B by Rockwellautomation

1766 L32bxba Series A by Rockwellautomation

1766 L32bxba Series B by Rockwellautomation