CVE-2019-10952 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2019-10952?

CVE-2019-10952 has a CVSS score of 9.8 (CRITICAL). A stack-based buffer overflow vulnerability in Rockwell Automation CompactLogix and Compact GuardLogix controllers allows attackers to send crafted HTTP/HTTPS requests to cause denial of service or potentially execute arbitrary code. This affects industrial control systems using these programmable logic controllers, requiring a cold restart to recover from attacks. Organizations using these controllers in manufacturing, energy, or critical infrastructure are at risk.

📋 TL;DR

A stack-based buffer overflow vulnerability in Rockwell Automation CompactLogix and Compact GuardLogix controllers allows attackers to send crafted HTTP/HTTPS requests to cause denial of service or potentially execute arbitrary code. This affects industrial control systems using these programmable logic controllers, requiring a cold restart to recover from attacks. Organizations using these controllers in manufacturing, energy, or critical infrastructure are at risk.

💻 Affected Systems

Products:

CompactLogix 5370 L1 Controllers
CompactLogix 5370 L2 Controllers
CompactLogix 5370 L3 Controllers
Compact GuardLogix 5370 controllers
Armor Compact GuardLogix 5370 Controllers

Versions: Versions 20 through 30 and earlier

Operating Systems: Controller firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected controllers with web server enabled are vulnerable. The vulnerability exists in the HTTP/HTTPS handling component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, manipulation of industrial processes, physical damage, or safety incidents in critical infrastructure.

🟠

Likely Case

Denial of service rendering the controller unavailable, disrupting industrial operations until cold restart is performed.

🟢

If Mitigated

Limited impact if controllers are isolated behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Direct internet exposure makes exploitation trivial via crafted HTTP/HTTPS requests.

🏢 Internal Only: MEDIUM - Requires network access but could be exploited via internal compromise or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP/HTTPS packets to the controller's web interface. No authentication is required if network access is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 30.014 and later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979

Restart Required: Yes

Instructions:

1. Download firmware update from Rockwell Automation Product Compatibility & Download Center. 2. Backup controller configuration. 3. Apply firmware update using Studio 5000 Logix Designer. 4. Perform cold restart of controller. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate controllers in dedicated network segments with strict firewall rules

Disable Web Server

all

Disable HTTP/HTTPS web server functionality if not required for operations

In Studio 5000: Controller Properties > Port Configuration > Disable HTTP/HTTPS

🧯 If You Can't Patch

Implement strict network access controls allowing only trusted IP addresses to communicate with controllers
Deploy intrusion detection systems monitoring for anomalous HTTP/HTTPS traffic patterns to affected controllers

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version via Studio 5000 Logix Designer or web interface. Versions 20-30 are vulnerable unless patched to 30.014+.

Check Version:

In Studio 5000: Controller Organizer > Right-click controller > Properties > Controller > General tab shows firmware version

Verify Fix Applied:

Verify firmware version shows 30.014 or later in Studio 5000 or controller properties.

📡 Detection & Monitoring

Log Indicators:

Multiple malformed HTTP/HTTPS requests to controller IP
Controller restart events following network traffic
Web server crash logs

Network Indicators:

Unusual HTTP packet sizes or patterns to controller ports (80/443)
Traffic from unexpected sources to controller web interface
Buffer overflow patterns in HTTP headers

SIEM Query:

source_ip=* AND dest_ip=controller_ip AND (port=80 OR port=443) AND (http_request_size>threshold OR http_header_anomaly=true)

📊 Metadata

CVE ID: CVE-2019-10952

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-400

Published: May 1, 2019

Last Updated: February 20, 2026

🔗 References

http://www.securityfocus.com/bid/108118 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01 Third Party Advisory,US Government Resource
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979
http://www.securityfocus.com/bid/108118 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01 Third Party Advisory,US Government Resource
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10952, you might also want to check these: