Buried in CISA's June 16, 2026 Rockwell Automation cluster is an advisory that reads like a small design oversight but carries an instructive lesson about how protocol state should be protected. ICSA-26-167-04 covers Rockwell's 1769 CompactLogix controllers and pairs two CVEs — CVE-2025-11694 and CVE-2026-9307 — with CVSS scores ranging from a v3.1 7.5 down to medium-severity ratings of 5.3 and 6.3.

The combined impact, per CISA, is that successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition. That is the same outcome as several other entries in the batch, but the mechanism here is specific enough to be worth dwelling on, because it points to a recurring weakness in how industrial protocols defend their connection state.

"This allows attacker to abuse the exposed Connection ID's visible on the web interface to perform denial-of-service attacks, resulting in a minor fault."— CISA ICS Advisory ICSA-26-167-04, source

CISA's root-cause description is unusually precise: the issue arises from the missing validation of sequence numbers and source IP addresses in the CIP protocol. Two protections that mature networking stacks treat as table stakes — verifying that a packet's sequence number falls within an expected window, and confirming it originates from the expected peer — are absent. With those checks missing, an attacker who can observe a connection's identifier can inject traffic that the controller accepts as legitimate, and the connection IDs are not even hidden: they are visible on the web interface.

Exposed connection state is the design tell

For an analyst tracking the security posture of industrial product lines over time, this advisory is a clean example of a category of defect that signals deeper assumptions. Validating sequence numbers and source addresses is how a protocol resists spoofing and replay; their absence means the design implicitly trusted the network. That trust assumption was reasonable in the era of air-gapped, switched plant floors and is untenable now that controllers carry web interfaces and sit on converged IT/OT networks. The fact that the connection IDs the attacker needs are surfaced on the web interface compounds the problem — the attack does not even require traffic capture, only access to a management page.

The strategic read is that a vendor shipping controllers with web management interfaces inherits a web-era threat model whether or not the protocol underneath was designed for it. The mitigations are well understood: bind connection state to authenticated peers, validate sequence windows, and never expose internal identifiers on an interface an attacker might reach. When a protocol leaks the very tokens an attacker needs to hijack or disrupt a session, the leak is the vulnerability as much as the missing validation is.

What operators should weigh

The saving grace, relative to the more severe entries in the June 16 batch, is that CISA characterizes the resulting fault as minor — a recoverable disruption rather than the major nonrecoverable fault described in the companion Logix advisory. That difference should inform patch prioritization: this is a real availability risk, but not the unrecoverable, program-download-required scenario that demands immediate attention. Still, the medium-and-high CVSS spread (5.3, 6.3, and 7.5 across the two CVEs) reflects a genuine exposure on a widely deployed controller family.

The defensive actions are familiar. Apply Rockwell's fixed firmware on the affected 1769 CompactLogix line, and in the meantime restrict access to the controllers' web interfaces and CIP endpoints so that the exposed connection IDs cannot be reached by untrusted hosts. CISA's standing guidance — keep control devices off the public internet, segment them behind firewalls, and use hardened remote-access methods where remote management is required — directly addresses the web-interface exposure at the heart of this advisory.

An old networking lesson, relearned

The sequence-number-and-source-address failure is not a new category of mistake; it is one the broader internet learned painfully in the 1990s. TCP sequence-number prediction attacks, and the spoofing-based session hijacks that followed, drove the adoption of randomized initial sequence numbers and, later, cryptographic session protection. The CompactLogix issue is the same shape of problem appearing in an industrial protocol that never went through that hardening cycle, because for most of its life it ran on networks where spoofing was not part of the threat model. Watching an OT protocol re-encounter a class of attack that IP networking addressed a generation ago is a useful reminder that operational technology is, in security terms, roughly two decades behind the commercial internet and is closing that gap one advisory at a time.

The web-interface exposure is the part operators can most directly control today. A protocol weakness in firmware has to wait for a vendor patch, but the decision to expose a controller's management web interface to a broad network is an architectural choice an operator makes. Connection IDs that are "visible on the web interface" only help an attacker who can reach that interface; tightening who can load that page shrinks the attack surface immediately, independent of the firmware fix. The pairing of a protocol flaw with an information-disclosure surface is a recurring motif in industrial advisories, and the practical defense is to assume the disclosure surface exists and to gate access to it accordingly rather than relying on it staying hidden.

CISA's advisory page is the authoritative source for affected versions, the vendor's remediation, and the full CVSS vectors for both CVEs. Within the broader pattern of the June 16 Rockwell disclosures, ICSA-26-167-04 is the entry that best illustrates a structural truth: an industrial protocol that does not validate who is talking to it, on a controller that publishes its connection state to a web page, is a denial-of-service waiting to be triggered.