Security Experts:

Connect with us

Hi, what are you looking for?



New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs

Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation.

Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation.

Claroty on Thursday published a blog post describing its findings. Separate advisories for the two vulnerabilities were also released on Thursday by the US Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell Automation (account required).

One of the security holes, tracked as CVE-2022-1161 and classified as “critical,” affects various CompactLogix, ControlLogix, GuardLogix, FlexLogix, DriveLogix and SoftLogix controllers. The second flaw, tracked as CVE-2022-1159 and rated “high severity,” affects the Studio 5000 Logix Designer programming software that runs on engineering workstations.

According to Rockwell Automation and Claroty, the vulnerabilities can allow an attacker who has access to the victim’s systems to make changes to PLC program code and modify automation processes without being detected. This could result in significant damage, depending on the type of system controlled by the PLC.

This is reminiscent of the vulnerability exploited a decade ago by the notorious Stuxnet malware, which the United States and Israel used to cause damage to Iran’s nuclear program.

“An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility,” Claroty researchers warned.

Stuxnet targeted Siemens devices, but vulnerabilities that can be exploited to achieve a similar goal have also been found in recent years in PLCs made by Schneider Electric and other vendors.

In the case of the vulnerabilities discovered recently by Claroty in Rockwell products, they target the process of developing code and transferring it to the PLC. This process consists of developing the code on an engineering workstation using the Studio 5000 software, compiling it to PLC-compatible binary code, and transferring that code from the engineering workstation to the PLC, where it will get executed.

Stuxnet attack on Rockwell PLC

The critical flaw enables an attacker — in combination with a previously disclosed Logix controller weakness — to deliver malicious code to a controller while the engineer is shown legitimate code in the programming software.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference

The second vulnerability can be exploited by an attacker with admin privileges to a workstation running the Studio 5000 software to intercept the compilation process and inject their own code into the user program, again without raising suspicion.

“The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC,” Claroty explained. “Changes to the logic flow or predefined local variables will alter a PLC’s normal operation and can result in new commands being sent to physical devices, such as belts and valves controlled by the PLC.”

Rockwell has shared various mitigations that can be used to prevent these types of attacks and it has also developed a tool that can detect hidden code running on a PLC.

Related: New Module Suggests Fourth Team Involved in Stuxnet Development

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.