CVE-2019-10954 – This vulnerability allows an attacker to send s... (How to Fix)

Q: What is the severity of CVE-2019-10954?

CVE-2019-10954 has a CVSS score of 7.5 (HIGH). This vulnerability allows an attacker to send specially crafted SMTP packets to Rockwell Automation CompactLogix and Compact GuardLogix controllers, causing them to enter a major non-recoverable faulted state (MNRF) that requires physical intervention to recover. This affects industrial control systems using these controllers in versions 20-30 and earlier, potentially disrupting manufacturing and industrial processes.

📋 TL;DR

This vulnerability allows an attacker to send specially crafted SMTP packets to Rockwell Automation CompactLogix and Compact GuardLogix controllers, causing them to enter a major non-recoverable faulted state (MNRF) that requires physical intervention to recover. This affects industrial control systems using these controllers in versions 20-30 and earlier, potentially disrupting manufacturing and industrial processes.

💻 Affected Systems

Products:

CompactLogix 5370 L1 Controllers
CompactLogix 5370 L2 Controllers
CompactLogix 5370 L3 Controllers
Compact GuardLogix 5370 controllers
Armor Compact GuardLogix 5370 Controllers

Versions: Versions 20 through 30 and earlier

Operating Systems: Controller firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects controllers with SMTP functionality enabled. Some configurations may have SMTP disabled by default depending on application.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete production shutdown requiring physical controller replacement, leading to extended downtime and significant financial losses in critical infrastructure.

🟠

Likely Case

Targeted denial-of-service attacks causing production line stoppages requiring manual controller reset or replacement.

🟢

If Mitigated

Limited impact if controllers are isolated from untrusted networks and SMTP services are disabled.

🌐 Internet-Facing: HIGH if controllers are directly exposed to internet with SMTP enabled, as attack requires only network access.

🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and internal threat actors, as attack can originate from any network-connected device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted SMTP packets to vulnerable controllers. No authentication needed if network access is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 31 and later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979

Restart Required: Yes

Instructions:

1. Download firmware version 31 or later from Rockwell Automation website. 2. Backup controller configuration. 3. Update firmware using Rockwell Automation programming software. 4. Restart controller. 5. Verify firmware version and restore configuration if needed.

🔧 Temporary Workarounds

Disable SMTP Services

all

Disable SMTP email functionality on affected controllers to prevent exploitation.

Configure via Studio 5000 Logix Designer: Controller Properties > Module Info > Email Configuration > Disable SMTP

Network Segmentation

all

Isolate controllers from untrusted networks using firewalls and VLANs.

Configure firewall rules to block SMTP traffic (port 25) to controllers from untrusted sources

🧯 If You Can't Patch

Implement strict network segmentation to isolate controllers from all untrusted networks
Deploy intrusion detection systems to monitor for SMTP-based attacks and anomalous traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version via Studio 5000 Logix Designer: Controller Properties > Controller. If version is 20-30 or earlier, system is vulnerable.

Check Version:

In Studio 5000 Logix Designer: Right-click controller > Properties > Controller tab > check Major Revision

Verify Fix Applied:

Verify firmware version is 31 or later in Studio 5000 Logix Designer and confirm SMTP is disabled or properly configured.

📡 Detection & Monitoring

Log Indicators:

Controller entering Major Non-Recoverable Fault (MNRF) state
SMTP service errors or unusual SMTP traffic patterns
Unexpected controller resets or fault conditions

Network Indicators:

Unusual SMTP traffic to controller IP addresses
Crafted SMTP packets targeting port 25 on controllers
Traffic from unexpected sources to controller SMTP services

SIEM Query:

source_ip=* AND dest_port=25 AND (dest_ip=controller_ips) AND (packet_size>normal OR protocol_anomalies)

📊 Metadata

CVE ID: CVE-2019-10954

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

Published: May 1, 2019

Last Updated: February 20, 2026

🔗 References

http://www.securityfocus.com/bid/108118 Broken Link
https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01 Third Party Advisory,US Government Resource
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979
http://www.securityfocus.com/bid/108118 Broken Link
https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01 Third Party Advisory,US Government Resource
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10954, you might also want to check these: