CVE-2025-13823 is a vulnerability identified in the IPv6 network stack of Rockwell Automation's Micro820®, Micro850®, and Micro870® programmable logic controllers (PLCs), specifically in version V23.011. The issue arises when the controllers receive multiple malformed IPv6 packets during fuzzing, which causes the devices to enter a recoverable fault state indicated by fault code 0xFE60. This fault disrupts normal operation, effectively causing a denial of service (DoS) condition until the fault is manually cleared. The vulnerability stems from a dependency on a vulnerable third-party component within the IPv6 stack, classified under CWE-1395 (Dependency on Vulnerable Third-Party Component). The CVSS 4.0 vector indicates the attack can be performed remotely (AV:A - adjacent network), requires no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N), with a high impact on availability (VA:H). There is no impact on confidentiality or integrity. The vulnerability does not currently have publicly known exploits, but the ease of triggering the fault via network packets makes it a credible threat. The affected controllers are widely used in industrial automation, manufacturing, and critical infrastructure environments, where availability is paramount. The lack of a patch link suggests that a firmware update may not yet be available, emphasizing the need for interim mitigations. The fault recovery requires manual intervention, which could lead to operational downtime and potential safety risks in industrial settings.

The primary impact of CVE-2025-13823 is on the availability of Rockwell Automation Micro820®, Micro850®, and Micro870® controllers. These devices are integral to industrial control systems (ICS) and operational technology (OT) environments, including manufacturing plants, utilities, and critical infrastructure. A successful exploitation leads to a recoverable fault state that halts controller operation until manually cleared, causing temporary denial of service. For European organizations, this could disrupt production lines, energy distribution, or other automated processes, leading to financial losses, safety hazards, and regulatory compliance issues. The vulnerability's ease of exploitation from adjacent networks increases risk in environments where network segmentation is insufficient. Given the critical role of these controllers, even short downtime can have cascading effects on supply chains and service delivery. The lack of confidentiality or integrity impact limits data breach concerns, but availability interruptions in ICS contexts are often severe. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

1. Network Segmentation and Filtering: Implement strict network segmentation to isolate the affected controllers from untrusted or less secure network segments. Use firewalls and intrusion prevention systems to filter and block malformed IPv6 packets targeting the controllers. 2. Monitoring and Alerting: Deploy monitoring solutions to detect fault code 0xFE60 occurrences and unusual IPv6 traffic patterns. Automated alerts can enable rapid response to potential exploitation attempts. 3. Access Controls: Restrict network access to the controllers to only trusted devices and personnel, minimizing exposure to adjacent network attacks. 4. Firmware Updates: Stay in close contact with Rockwell Automation for firmware patches or updates addressing this vulnerability. Apply updates promptly once available. 5. Incident Response Planning: Prepare operational procedures for rapid fault clearing and recovery to minimize downtime. Train staff on recognizing and responding to fault conditions caused by this vulnerability. 6. Vendor Coordination: Engage with Rockwell Automation support to confirm vulnerability status and obtain guidance on mitigation or patch timelines. 7. Disable IPv6 if feasible: If IPv6 is not required for controller operation, consider disabling IPv6 support on the affected devices to eliminate the attack vector.