Critical Flaw in Rockwell ControlLogix CVE-2024-6242 – Trusted Slot Bypass Vulnerability

In July 2024, a serious security flaw was found in Rockwell Automation ControlLogix 1756 devices. These devices are used in many industries, including oil and gas, chemical processing, water treatment, power generation, and advanced manufacturing. This vulnerability, known as CVE-2024-6242, has a CVSS v3.1 score of 8.4, which means it is a serious problem.

The issue makes the Trusted Slot function, which is a key security element in Rockwell chassis environments, less effective. Attackers can transmit illegal commands to the CPU through a trusted module by taking advantage of a flaw in Common Industrial Protocol (CIP) routing. This allows them get around slot-level constraints.

Claroty’s Team82 found this vulnerability, and CISA later validated it. It has big effects on the cybersecurity of industrial control systems (ICS). The following article discusses the technical details, how the Rockwell ControlLogix CVE-2024-6242 vulnerability can be used, how to fix it, and what we learned from it.

Background on Rockwell ControlLogix 1756 Devices

The ControlLogix 1756 chassis is the main part of Rockwell’s modular PLC platform. The backplane connects all the modules in each chassis, which can be of different sorts.

Role of CPU Modules in Control Systems

These are the brains of the system; they run process control, structured text, and ladder logic commands. The automation system can’t do its main jobs without them.

Importance of I/O Modules in Process Control

These connect directly to sensors and actuators in the field. Digital and analog I/O cards deal with signals from real-world processes, which makes them very important for connecting the control system to plant equipment.

Network Interface Modules – EN2T, EN3TR, EN4TR, EN2TP

Some examples are 1756-EN2T, EN2TR, EN3TR, EN4TR, and EN2TP. These cards connect the chassis to Ethernet/IP networks, which lets you monitor, set up, and talk to SCADA or DCS systems from a distance.

Refer the below link to Differentiate PLC racks and chassis easily:

Understanding PLC Racks and Chassis: Types, Differences, and Purposes

What is the Trusted Slot Feature?

Purpose of Trusted Slot Security

Rockwell included the Trusted Slot functionality to lower the risk of illegal communications inside the chassis. The reasoning is simple:

 How Trusted Slot Restricts Unauthorized Commands

Administrators can mark certain chassis slots as “trusted.” These are usually the slots that carry network interface modules that engineers use to upload or download logic.

When targeting the CPU, every command that comes from an untrusted slot is turned down. This stops bad or rogue cards from giving sensitive commands like forcing I/O, uploading new logic, or overwriting projects.

Know why 24VDC powers industrial PLCs: Why is 24 Volts Mostly used in Industrial PLC Systems?

Hardware-Level Chassis Security

This technique, on the other hand, enforces a security boundary at the chassis level. This gives operators assurance that only verified modules can send high-privilege commands to the CPU.

This process should, in theory, create significant separation. But the Rockwell ControlLogix CVE-2024-6242 vulnerability shows a big hole in how this validation is done.

Understand hot standby PLC system benefits: Hot Standby in PLC Systems: Architecture, Working, and Benefits

The Vulnerability – CVE-2024-6242 Explained

Claroty’s Team82 found out that the Trusted Slot protection doesn’t adequately check the pathways of CIP (Common Industrial Protocol) messages.

CIP Routing Weakness in Rockwell PLCs

• CIP allows requests move between different modules and slots by using path-based communication.
• When everything is working normally, an engineer’s workstation sends a packet to the CPU through a network card. The trail tells you what each “hop” across the chassis is.
• But this flexibility also makes it possible to hide the real source of a request by routing it in a roundabout way.

CPU Validation Limitation – Why It Fails

• When the CPU processes a CIP packet, it merely checks the last hop in the chain.
• The CPU thinks the request is safe if that last hop is in a trusted slot.
• The CPU doesn’t check to see if the request came from an untrusted slot before going via the trusted one.

Explore PLC hardware modules, types, and functions: PLC Hardware: Modules,Types, Functions, and Applications

Attack Method – Bypassing the Trusted Slot

• An attacker who connects through an untrusted module can make a malicious CIP request that goes through a trusted slot before it gets to the CPU.
• The CPU accepts the request without question since it just checks the last trusted slot.
• This means that even a module that isn’t trusted can get higher privileges by taking advantage of routing logic.

Practical Impact

• Attackers can download logic, rewrite project files, modify configuration settings, and add bad ladder logic.
• The PLC might stop, change, or harm industrial operations, which could cause downtime, safety issues, or lost productivity.

Refer the below link to Boost PLC performance with proven techniques

How to Increase PLC Speed: 7 Optimization Tips + Advanced Programming Guide

Technical Deep Dive: CIP Paths and Backplane Addressing

The Common Industrial Protocol (CIP) makes it possible to route Rockwell systems in great detail.

• Each chassis slot has its own number that is different from all the others.
• Forward Open Requests explain communication by showing how messages move across the network and chassis.
• For example:
  • A legitimate path might be Engineering Workstation → EN2T (Trusted Slot) → CPU.
  • An exploit path could be Attacker → Untrusted Slot → EN2T (Trusted Slot) → CPU.

The CPU carries out the malicious request even though it came from an untrusted source since it only checks that the last step goes through the EN2T (trusted slot).

This design flaw makes the Trusted Slot functionality useless against smart attackers who know how CIP routing works.

Comprehensive guide to top PLC software: Top 22 PLC programming software available in market?

Claroty Team82’s Contribution – Snort Rule Detection

Claroty Team82 produced an intrusion detection signature to help defenders.

• The Snort rule finds CIP Forward Open Requests that have more than one backplane hop.
• In real operations, most traffic goes straight from a trusted card to the CPU without being redirected.
• Multiple hops, especially requests that go from one module to another before reaching the CPU, are rare and hence suspicious.
• When security personnel find it, they can look into it and stop the bad traffic before it causes damage.

This way of finding problems gives businesses a temporary shield until they can fix or replace devices that are at risk.

Explore the leading global DCS manufacturers: Top 10 DCS manufacturing companies

Exploitation Scenario: Step-by-Step

A real-world attack that takes use of the Rockwell ControlLogix CVE-2024-6242 vulnerability could go like this:

Step 1: Getting into the OT Network for the First Time

• The attacker gets access via breaking into a remote engineering workstation or by using a poorly segmented OT/IT network.
• Once they’re inside, they can use regular CIP discovery techniques to look for ControlLogix chassis modules.

 Step 2: Crafting the Malicious CIP Packet

• The attacker makes a CIP packet that first goes via a trusted slot (like EN2T) before getting to the CPU. They do this by knowing how the slots are set up.
• This makes the request look real.

 Step 3: CPU Accepts Command from Trusted Slot

• The CPU checks and carries out the request because the last hop is from a trusted slot.
• The system doesn’t know where the untrusted source came from.

Step 4: Execution of Malicious Intent (Logic Injection, Shutdown, Damage) 

• The attacker can download any ladder logic they want to mess with process flows.
• They might change configuration files to hide that they are there.
• In the worst instances, they could stop all operations, which would make things less safe and less available.

This example shows how a mistake in a protocol might make a hardware-enforced security feature useless, which could put vital infrastructure at risk.

Master NO vs NC contact logic writing: Understanding NO vs NC Contacts is key for Logic Writing in PLC Programming

Affected Products and Fixes (Firmware / Replacement)

Rockwell has acknowledged that a number of product lines are compromised. Some of them need firmware updates, while others need to have their hardware completely replaced.

Product	First Affected Firmware	Fixed Firmware	Notes
ControlLogix 5580 (1756-L8z)	V28	V32.016, V33.015, V34.014, V35.011+	Update required
GuardLogix 5580 (1756-L8zS)	V31	V32.016, V33.015, V34.014, V35.011+	Update required
1756-EN4TR	V2	V5.001+	Update required
1756-EN2T (Series A/B/C)	V5.007 / V5.027	No fix – must upgrade to Series D	Hardware replacement
1756-EN2F (Series A/B)	Same as above	No fix – upgrade to Series C	Hardware replacement
1756-EN2TR (Series A/B)	Same as above	No fix – upgrade to Series C	Hardware replacement
1756-EN3TR (Series A)	Same as above	No fix – upgrade to Series B	Hardware replacement
1756-EN2T (Series D)	V10.006	V12.001+	Update required
1756-EN2F (Series C)	V10.009	V12.001+	Update required
1756-EN2TR (Series C)	V10.007	V12.001+	Update required
1756-EN3TR (Series B)	V10.007	V12.001+	Update required
1756-EN2TP (Series A)	V10.020	V12.001+	Update required

This table highlights a major challenge: Older hardware series (A/B) can’t be patched and have to be replaced, which costs a lot of money and time for operators.

Best free PLC programming tools revealed: Top 6 free PLC Programming software

Mitigation Strategies and Workarounds

CISA and Rockwell suggest a number of ways to protect enterprises who can’t quickly patch or replace their equipment:

Setting Mode Switch to RUN

• When the CPU’s physical mode switch is set to RUN, it stops project downloads, which lowers the chance of malicious logic insertion.
• This stops reprogramming, but it doesn’t stop all bad CIP commands, thus it should be used with other defenses.

Restricting Network Access and Segmentation

• It is very important to properly separate OT and IT networks.
• Firewalls should only let CIP communications go through approved engineering workstations and management systems.
• When accessing a system from the outside, you should use secure techniques like VPNs with multiple factors of authentication.

Using IDS/IPS for CIP Traffic Detection

• Claroty’s Snort rule and other tools let you see suspicious CIP routing attempts.
• Organizations can add IDS alerts to a Security Information and Event Management (SIEM) platform to keep an eye on everything in one place.

 Hardware Replacement and Lifecycle Planning

• You need to get new Series C or D hardware that supports patched firmware to replace the older Series A/B modules.
• To prevent being exposed for a long time, businesses should consider this in their asset lifecycle planning.

Adopt Security Best Practices

• Follow Rockwell’s System Security Design Guidelines, which stress least-privilege access, secure remote connections, and constant monitoring.
• Check Rockwell advisories often and quickly install firmware upgrades as they come out.

Refer the below link to Discover which PLC dominates automation today: 

Which PLC is Mostly used in the Automation Industry?

Lessons Learned from CVE-2024-6242

The Rockwell CVE-2024-6242 problem teaches us a few essential things:

• Hardware Trust Alone Is Not Enough: If the communication protocol doesn’t have strong validation, even chassis-level slot enforcement can be gotten around.
• Collaboration between vendors and researchers is very important: The relationship between Claroty, Rockwell, and CISA made it possible to quickly release detection signatures, vendor alerts, and other information.
• We need secure-by-design protocols: To eliminate path spoofing, future versions of CIP and other ICS protocols should include cryptographic source validation.
• Defense-in-Depth is Not Up for Discussion: Operators must expect that any one control could fail. The only long-term solution is to use numerous detection and preventive methods.
• It’s important to plan for the whole life cycle: Security should be a top priority in managing the lifecycle of assets, not something that comes up later when problems arise.

Reduce downtime with proactive PLC I/O care: Proactive Maintenance Strategies for PLC I/O Modules: Reduce Downtime & Improve Reliability

Broader Impact on ICS and OT Security

This vulnerability is extremely problematic in today’s operational contexts, when IT and OT networks are coming together more and more.

• Remote Engineering Access: Cloud-based SCADA or vendor maintenance sessions make more entry points possible.
• Integrators from Other Companies: Contractors often connect laptops or temporary modules, which makes it easy for an untrusted slot to be added without anybody knowing.
• IoT and Edge Devices: Devices on the Internet of Things (IoT) and the Edge As plants start using IIoT sensors and edge gateways, more devices are on the same network as core PLCs. This makes it more likely that attackers will go sideways.

Step-by-step voltage drop calculation in PLC wiring: How to Calculate and Minimize Voltage Drop in PLC Wiring?

Securing Rockwell ControlLogix PLCs Against CVE-2024-6242

The Rockwell ControlLogix CVE-2024-6242 vulnerability shows that protocol design issues can make even trusted hardware-based defenses less effective. Attackers can use CIP routing to get beyond Trusted Slot enforcement and directly attack the CPU, putting important industrial systems at risk of sabotage, disruption, or manipulation.

To protect themselves from this, businesses must:

• Fix or replace weak modules right away
• Use IDS rules to find bad CIP traffic.
• Limit access to important PLCs on the network
• Use a defense-in-depth strategy that includes firmware updates, monitoring, and splitting up the architecture.

This story shows that industrial automation needs more than one layer of protection to stay safe. No one feature, not even a hardware-level protection like Trusted Slot, can guarantee safety. To keep modern industrial networks safe, you need to always be on the lookout, manage their lifecycles, and find threats before they happen.

Find out the top PLC brands worldwide: Top 15 PLC brands

FAQ on Rockwell ControlLogix CVE-2024-6242

What is the Rockwell Automation controversy?

CVE-2024-6242 is the main issue at the heart of the dispute. It is a serious weakness in Rockwell ControlLogix 1756 PLCs. Attackers can get around the Trusted Slot feature and send commands that aren’t allowed, which puts electricity, oil and gas, and manufacturing industries at danger.

Who are the biggest customers of Rockwell Automation?

Rockwell’s key customers are in the oil and gas, energy, water treatment, automotive, pharmaceuticals, and advanced manufacturing industries. A lot of Fortune 500 firms use its ControlLogix PLCs and FactoryTalk software.

What is the Trusted Slot feature in Rockwell?

It is a security setting at the chassis level that marks certain slots as trusted. Only modules that fit in these slots, which are usually network cards, can send critical orders to the CPU.

Learn scaling of analog values in automation: Scaling Analog Values in Industrial Automation (PLC)

Is Rockwell Automation product based or service based?

Rockwell is mostly a product-based company that sells PLCs, drives, and automation software. It is a hybrid supplier because it also offers services including system integration, lifecycle support, and cybersecurity.

Refer the below link for How to Safeguard PLCs Against Cyber Attacks in Industrial Networks ?

How to Safeguard PLCs Against Cyber Attacks in Industrial Networks ?

What is the main security flaw in the access control system provided in the code?

The problem is that the CPU only checks the last step in CIP routing. Attackers can get around constraints and get privileged access by sending requests through a trusted slot.

What is a weakness or flaw in a system’s security that can be exploited?

A problem like this is called a vulnerability. Attackers can take advantage of things like weak protocols, old firmware, or bad network segmentation.

What is the Trusted Slot feature?

The Trusted Slot feature is a Rockwell security feature that makes sure that only modules in approved slots can talk to the CPU at a high privilege level.

Refer the below link for Essential documentation practices for PLC systems:

PLC System Documentation Guide: Essential Records for Industrial Automation Success