CVE-2025-13823 identifies a vulnerability in the IPv6 protocol stack implementation within Rockwell Automation's Micro820®, Micro850®, and Micro870® programmable logic controllers (PLCs), specifically in version V23.011. The issue arises when the controllers receive multiple malformed IPv6 packets, typically discovered through fuzz testing, causing the devices to enter a recoverable fault state indicated by fault code 0xFE60. This fault interrupts normal controller operation but does not permanently disable the device; recovery requires manual fault clearing. The root cause is linked to a dependency on a vulnerable third-party software component integrated into the IPv6 stack, classified under CWE-1395 (Dependency on Vulnerable Third-Party Component). The vulnerability can be exploited remotely without authentication or user interaction, making it accessible to attackers with network access to the affected devices. The CVSS 4.0 base score is 7.1, reflecting high severity due to the impact on availability (denial of service) and ease of exploitation. No known exploits are currently in the wild, and no official patches have been released yet. The vulnerability primarily affects industrial control systems that rely on these Rockwell Automation controllers, which are widely used in manufacturing, energy, and critical infrastructure sectors. The lack of authentication and user interaction requirements increases the risk of exploitation, especially in environments where network segmentation or filtering is insufficient. The fault state could disrupt automated processes, causing downtime or safety risks depending on the application context.

For European organizations, especially those in manufacturing, energy production, utilities, and critical infrastructure sectors, this vulnerability poses a significant risk of operational disruption. The affected Rockwell Automation controllers are commonly deployed in industrial automation environments across Europe. Exploitation could lead to denial of service conditions, halting automated processes and potentially causing production losses, safety hazards, or cascading failures in interconnected systems. Since the fault is recoverable but requires manual intervention, organizations may face increased maintenance overhead and downtime. The vulnerability could also be leveraged as part of a larger attack chain targeting industrial control systems, impacting supply chains and critical services. Given the reliance on IPv6 in modern networks, the attack surface is broad, and organizations with insufficient network segmentation or monitoring are particularly vulnerable. The absence of patches increases the urgency for interim mitigations to prevent exploitation. Additionally, regulatory compliance frameworks in Europe, such as NIS2, emphasize the protection of critical infrastructure, making mitigation of this vulnerability a priority to avoid legal and reputational consequences.

1. Implement strict network segmentation to isolate Rockwell Automation controllers from general IT networks and untrusted sources, limiting exposure to potential attackers. 2. Deploy IPv6 packet filtering at network perimeters and internal firewalls to detect and block malformed IPv6 packets that could trigger the fault condition. 3. Monitor controller fault codes actively, especially fault code 0xFE60, to detect potential exploitation attempts early and respond promptly. 4. Establish operational procedures for rapid fault clearing and system recovery to minimize downtime if faults occur. 5. Coordinate closely with Rockwell Automation for updates and patches; prioritize testing and deployment of any forthcoming security updates addressing this vulnerability. 6. Conduct regular security assessments and penetration testing focusing on industrial control system networks to identify and remediate exposure to malformed packet attacks. 7. Educate operational technology (OT) personnel on recognizing symptoms of exploitation and proper incident response protocols. 8. Where possible, limit IPv6 usage or disable IPv6 on controllers if not required, reducing the attack surface. 9. Employ intrusion detection systems (IDS) or anomaly detection tools tailored for industrial protocols to identify suspicious network activity targeting these devices.