CVE-2025-56234 is a denial-of-service (DoS) vulnerability affecting the AT_NA2000 Programmable Logic Controller (PLC) from Nanda Automation Technology. The vulnerability arises from improper handling of TCP Reset (RST) packets during TCP connection processing. Specifically, the PLC accepts TCP RST packets with sequence numbers that fall within a broad receive window rather than requiring an exact match to the next expected sequence number, which violates the stricter sequence number validation mandated by RFC 5961. RFC 5961 was introduced to mitigate off-path TCP injection attacks by enforcing tighter validation of TCP RST packets. By accepting a wide range of sequence numbers, the AT_NA2000 PLC becomes susceptible to attackers sending multiple random TCP RST packets that fall within the acceptable sequence number window. This can prematurely terminate legitimate TCP connections, causing disruption of communication between the PLC and other networked devices or control systems. Since PLCs are critical components in industrial control systems (ICS), this vulnerability can interrupt automated processes, potentially halting production lines or critical infrastructure operations. The vulnerability does not require authentication or user interaction, and exploitation involves sending crafted TCP RST packets over the network. Although no known exploits have been reported in the wild as of the publication date, the flaw’s nature makes it a viable vector for denial-of-service attacks against industrial environments using the affected PLCs. No patches or mitigations have been officially published yet, and the affected versions are not explicitly specified in the available information.

For European organizations, especially those operating in industrial sectors such as manufacturing, energy, utilities, and critical infrastructure, this vulnerability poses a significant risk. The AT_NA2000 PLCs are likely integrated into operational technology (OT) networks controlling physical processes. A successful DoS attack could disrupt production lines, cause safety system failures, or interrupt energy distribution, leading to financial losses, safety hazards, and regulatory compliance issues. The interruption of TCP connections could also degrade the reliability of supervisory control and data acquisition (SCADA) systems that rely on stable communications with PLCs. Given the increasing convergence of IT and OT networks in Europe, exploitation of this vulnerability could also serve as a stepping stone for more sophisticated attacks if attackers gain persistent access. The lack of authentication or user interaction requirements lowers the barrier for attackers to launch such attacks remotely, increasing the threat surface. Additionally, the absence of known exploits currently does not eliminate the risk, as the vulnerability is straightforward to exploit with network access.

European organizations using AT_NA2000 PLCs should immediately conduct network segmentation to isolate PLCs from general IT networks and restrict access to trusted management stations only. Implement strict firewall rules to block unsolicited TCP RST packets from untrusted sources. Network intrusion detection/prevention systems (IDS/IPS) should be configured to monitor and alert on abnormal TCP RST packet volumes targeting PLC IP addresses. Organizations should engage with Nanda Automation Technology for official patches or firmware updates addressing this vulnerability and prioritize their deployment once available. In the interim, consider deploying TCP stack hardening techniques at the network perimeter, such as TCP RST rate limiting or TCP sequence number validation proxies, to reduce the likelihood of successful DoS attacks. Regularly review and update incident response plans to include scenarios involving PLC communication disruptions. Finally, maintain comprehensive network monitoring and logging to detect early signs of exploitation attempts.