Rockwell Automation A.I CyberSecurity Scoring
Rockwell Automation
Company Information
Website:http://www.rockwellautomation.com/
Employees number:21,731
Number of followers:1,167,301
NAICS:33325
Industry Type:Automation Machinery Manufacturing
Homepage:rockwellautomation.com
Rockwell Automation Risk Score (AI oriented)
Between 750 and 799
Rockwell AutomationAutomation Machinery Manufacturing
Updated:
13/04/2026
13/04/2026
775/1000
Fair
Baa
Rockwell Automation Global Score (TPRM)
xxxx
Rockwell AutomationAutomation Machinery Manufacturing
Score locked

Rockwell AutomationFair
Current Score
775Baa (FAIR)
01000
5 incidents
-8 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
778
JUNE 2026
777
MAY 2026
776
APRIL 2026
779
Vulnerability
07 Apr 2026 • Rockwell Automation
Rockwell Automation: U.S. Cybersecurity Agencies Warn of Rising Threats From Exposed Rockwell Automation PLCs
Thousands of Rockwell PLCs Exposed Online, Drawing Warnings from U.S. Agencies
775
CRITICAL-4
ROC1776083482
Thousands of Rockwell PLCs Exposed Online, Drawing Warnings from U.S. Agencies
Researchers at Censys have identified 5,219 Rockwell Automation programmable logic controllers (PLCs) accessible via the internet, with a significant concentration in the United States, heightening risks to critical infrastructure. The exposure of these operational technology (OT) devices has raised concerns about exploitation by advanced persistent threat (APT) groups, particularly those linked to Iran.
On April 7, 2026, the FBI, CISA, and NSA issued a joint advisory warning of active targeting by Iran-backed threat actors. The agencies emphasized the urgency of securing these systems, noting that such groups have historically sought to disrupt, gather intelligence, or demonstrate offensive capabilities against vulnerable OT environments.
The advisory recommends immediate disconnection of internet-facing PLCs where possible, alongside network segmentation, multi-factor authentication, and timely patching for cases where disconnection isn’t feasible. Additional measures include intrusion detection systems, behavioral analytics, and enhanced monitoring to detect unauthorized activity.
Exposed devices span energy, manufacturing, and water systems, sectors where a successful compromise could have severe economic and public safety consequences. The agencies stressed that operators must act swiftly to reduce the attack surface, as threat actors continue to scan for and exploit unsecured industrial systems at scale.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
MARCH 2026
794
Cyber Attack
01 Mar 2026 • Rockwell Automation
Stryker and Rockwell Automation: Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn
U.S. Government Warns of Iranian Cyberattacks Targeting Critical Infrastructure
778
CRITICAL-16
STRROC1775594506
U.S. Government Warns of Iranian Cyberattacks Targeting Critical Infrastructure
U.S. intelligence and cybersecurity agencies issued an urgent joint alert on Tuesday, warning that Iranian government-linked hackers are conducting disruptive cyberattacks against American energy and water infrastructure. The attacks, which have intensified since the onset of U.S.-Israel military strikes against Iran, specifically target operational technology (OT) systems, including programmable logic controllers (PLCs) from Rockwell Automation/Allen-Bradley.
The alert issued by the FBI, NSA, CISA, EPA, Energy Department, and Cyber Command details how Iran-affiliated advanced persistent threat (APT) actors have exploited internet-facing OT devices, leading to disruptions in critical infrastructure sectors. These attacks involve malicious interactions with project files and manipulation of human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems, resulting in operational disruptions and financial losses for victims.
Since March, the agencies have identified new victims tied to an Iranian APT group, with at least 75 devices compromised in earlier campaigns. Affected sectors include government services, water and wastewater systems (WWS), and energy. Some organizations have already experienced operational downtime due to the attacks.
This latest wave follows previous warnings about Iranian cyber threats, including a 2023 attack on a Pennsylvania water facility. Recent targets have also included major corporations like medtech firm Stryker and local government entities. Separately, the FBI had previously flagged Iranian hackers using Telegram to distribute malware, though that campaign predates the current conflict.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
FEBRUARY 2026
794
JANUARY 2026
797
Vulnerability
13 Jan 2026 • Rockwell Automation
Güralp Systems, Rockwell Automation and YoSmart: CISA issues multiple ICS advisories, details DoS vulnerability risk in Rockwell devices used in critical manufacturing
CISA Publishes Advisories on Vulnerabilities in Rockwell Automation and YoSmart Products
793
CRITICAL-4
GURROCYOS1768400893
CISA Issues Critical ICS Advisories for Rockwell Automation and YoSmart Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released three new advisories and updated an existing one on Tuesday, highlighting significant vulnerabilities in industrial control systems (ICS) from Rockwell Automation and YoSmart. The advisories address risks in critical manufacturing and global communications sectors, with potential impacts ranging from denial-of-service (DoS) conditions to unauthorized device control.
### Rockwell Automation Vulnerabilities
1. CVE-2025-9368 (CVSS 7.5)
- Affects Rockwell Automation 432ES-IG3 Series A devices, specifically the GuardLink EtherNet/IP Interface.
- The flaw stems from uncontrolled resource allocation, allowing attackers to trigger a DoS condition requiring a manual power cycle to restore functionality.
- Mitigation: Users should upgrade to V2.001.9 or later; those unable to update should follow Rockwell’s security best practices.
2. CVE-2025-12807 (CVSS 8.8)
- Impacts FactoryTalk DataMosaix Private Cloud (versions 7.11, 8.00, and 8.01).
- The vulnerability involves SQL injection, enabling low-privilege users to execute unauthorized database operations via exposed API endpoints.
- Mitigation: Update to Version 8.01.02 or later.
### YoSmart YoLink Smart Hub Vulnerabilities
Multiple flaws were identified in the YoSmart YoLink ecosystem, affecting the Smart Hub, server, and mobile application (CVE-2025-59448, CVE-2025-59449, CVE-2025-59451, CVE-2025-59452), with a CVSS score of 5.8.
- Exploitation Risks:
- Remote device control of other users’ smart home devices.
- Session hijacking and sensitive data interception due to weak authorization controls and predictable device IDs.
- Cleartext transmission of data via unencrypted MQTT, exposing communications to interception or tampering.
- Long-lived session tokens in the mobile app, increasing the risk of unauthorized access.
- Technical Details:
- The YoLink MQTT broker (through 2025-10-02) lacks sufficient authorization checks, allowing cross-account attacks if device IDs are obtained.
- Device IDs are predictable, enabling attackers to gain control over any YoLink user’s devices.
- API endpoints use MD5 hashing of non-secret data (e.g., MAC addresses), further weakening security.
### CISA’s Recommendations
While no active exploitation has been reported, CISA advises organizations to:
- Minimize network exposure for ICS devices, ensuring they are not internet-accessible.
- Isolate control systems behind firewalls and separate them from business networks.
- Use secure remote access methods, such as updated VPNs, when necessary.
- Conduct risk assessments before deploying defensive measures.
The advisories underscore ongoing risks in ICS environments, particularly in critical infrastructure sectors. Organizations are urged to apply patches and follow CISA’s Defense-in-Depth Strategies for proactive cybersecurity.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2025
796
NOVEMBER 2025
796
OCTOBER 2025
795
SEPTEMBER 2025
795
AUGUST 2025
795
JUNE 2025
798
Vulnerability
16 Jun 2025 • Rockwell Automation
Rockwell Automation
Critical Remote Code Execution Vulnerability in Rockwell Automation ControlLogix Ethernet Modules (CVE-2025-7353)
794
CRITICAL-4
ROC405081825
A critical security vulnerability (CVE-2025-7353, CVSS 9.8) was discovered in Rockwell Automation’s ControlLogix Ethernet communication modules, exposing industrial control systems (ICS) to remote code execution (RCE) attacks. The flaw stems from an insecure default configuration in the web-based debugger (WDB) agent, left enabled in production environments. Unauthenticated attackers exploiting this vulnerability can dump memory, modify system operations, and manipulate industrial processes, posing severe risks to manufacturing, energy, or critical infrastructure.The affected modules (e.g., 1756-EN2T/D, 1756-EN3TR/B) serve as core interfaces between programmable automation controllers (PACs) and Ethernet networks. Successful exploitation could lead to operational disruptions, unauthorized access to sensitive data, or physical damage—such as halting factory production, tampering with safety systems, or causing cascading failures in industrial environments. While Rockwell released a patch (firmware 12.001), delayed updates increase exposure, particularly in sectors like energy, water treatment, or nuclear plants, where such attacks could escalate to life-threatening scenarios or regional economic threats if critical services are compromised.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
APRIL 2025
792
Vulnerability
01 Apr 2025 • Rockwell Automation
Rockwell Automation
Rockwell Automation Verve Asset Manager Vulnerability (CVE-2025-1449)
798
CRITICAL-6
ROC602040125
Rockwell Automation encountered a high-severity security vulnerability (CVE-2025-1449) in its Verve Asset Manager, affecting all versions up to 1.39. The flaw, due to inadequate input sanitization, could let attackers with administrative privileges execute arbitrary commands. With a CVSS base score of 9.1, the vulnerability poses a critical risk, potentially enabling the disruption of industrial processes, unauthorized access to sensitive data, or long-term presence within the network. Rockwell has released a patch in version 1.40 and recommends immediate upgrading to mitigate the issue.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Rockwell Automation ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in June 2026 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in May 2026 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in April 2026 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in March 2026 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in February 2026 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in January 2026 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in December 2025 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in November 2025 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in October 2025 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in September 2025 ??
What was Rockwell Automation's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Rockwell Automation's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Rockwell Automation ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Rockwell Automation's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?