CVE-2026-9307 | THREATINT

Description

A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller's web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on the network. This information can be leveraged by an attacker to construct malicious packets, leading to Denial-of-Service.

PUBLISHED Reserved 2026-05-22 | Published 2026-06-16 | Updated 2026-06-16 | Assigner Rockwell

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-497 Exposure of sensitive system information to an unauthorized control sphere

Product status

Default status

unaffected

V36 (custom)

affected

Credits

This security issue was found by external researcher Tyler Lentz of Idaho National Laboratory. finder

References

www.rockwellautomation.com/...dvisories/advisory.SD1776.html

cve.org (CVE-2026-9307)

nvd.nist.gov (CVE-2026-9307)

Download JSON