The most operationally painful failure mode in industrial control is not a crash you can reboot through — it is a fault that requires re-loading the controller's program to recover. That is exactly the scenario CISA describes in ICSA-26-167-03, an advisory published June 16, 2026 covering Rockwell Automation's Logix 5370 and 5570 controller families, including CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570.
The single vulnerability, CVE-2026-11317, is a denial-of-service issue triggered by a crafted CIP message. CISA rates it CVSS v3.1 7.5 and CVSS v4.0 8.7. The numbers are serious, but the qualitative description is what makes this advisory stand out from the routine flood of availability bugs.
"This can result in a major nonrecoverable fault (MNRF). A program download is required to recover."— CISA ICS Advisory ICSA-26-167-03, source
To appreciate why this advisory rewards a careful read, it helps to recall what these controllers actually do. The Logix 5370 and 5570 families are programmable automation controllers — the deterministic real-time computers that scan inputs, execute ladder logic or structured text, and drive outputs on a fixed cycle. The GuardLogix variants add safety-rated functions, the kind that participate in emergency stops and protective interlocks. A fault that forces a program reload on a controller in that role does not just pause production; it removes the device from service until a qualified engineer restores it, and on a safety controller it can trip the protective function the plant relies on. That context is what turns an ordinary availability bug into a genuine operational concern.
A major nonrecoverable fault — MNRF in Rockwell's terminology — is precisely as bad as it sounds. Where a typical denial-of-service condition resolves on its own once the malicious traffic stops, or recovers with a power cycle, an MNRF puts the controller into a state from which a simple restart will not bring it back. CISA's technical detail is explicit: the fault stems from a fault occurring when a crafted CIP message is sent, and recovery requires re-downloading the program to the controller. In a running plant, that means an engineer on site, a planned outage, and the loss of whatever process state the controller was managing.
The CIP attack surface, again
This is the third entry in the June 16 Rockwell batch to trace back to the Common Industrial Protocol, and the pattern is not coincidental. CIP was designed for trusted, switched plant networks where every node was assumed cooperative. The protocol's message-handling logic was never hardened against an adversary deliberately crafting malformed or boundary-pushing inputs, and modern controllers inherit that lineage. CISA even notes a resource-sensitivity wrinkle in this case: devices with less memory are more likely to be affected, which means the smaller, cheaper controllers — often the most widely deployed — are the most exposed.
From a security-systems standpoint, the defensive principle is the same one that hardened internet software a generation ago: validate every byte of attacker-controllable input, fail safe rather than fail into an unrecoverable state, and never let a single malformed message put a system into a condition that needs manual intervention. An MNRF is the antithesis of fail-safe design — it is a fault path that maximizes operator pain. The right architecture treats a bad CIP message as routine garbage to be dropped, not as an event that can corrupt the controller's operating state.
What to do
Rockwell's remediation is version-specific across the affected families — CompactLogix 5370 to 34.016 and later, Compact GuardLogix 5370 to 35.015 and later, ControlLogix 5570 to 36.012 and later, and GuardLogix 5570 to 37.011 and later — and CISA's advisory page carries the authoritative list. Until controllers are upgraded, the standing mitigations matter more than usual: keep these devices off any routable path from business or internet networks, segment the control network behind firewalls, and tightly restrict who and what can send CIP traffic to the controller.
The takeaway for operators is to weight this advisory by recovery cost, not just by its 7.5/8.7 scores. A denial-of-service bug that self-heals is an annoyance; one that demands a program download is an unplanned outage with a labor bill. For anyone running the affected Logix families on lower-memory hardware, ICSA-26-167-03 belongs near the top of the patch queue, and CISA's page is the source of record for the fixed firmware versions and the full CVSS vectors.
Why the CVSS number understates the pain
The 7.5 and 8.7 base scores deserve a caveat, because the standard CVSS availability metric does not capture the gulf between a recoverable and a nonrecoverable fault. The scoring vector treats the impact as a loss of availability, full stop; it has no field for "and recovery requires a site visit and a re-flash." Two bugs can share an identical availability rating while one self-heals in seconds and the other halts a line until an engineer with the right project file shows up. For risk-prioritization purposes, operators should read the qualitative recovery description alongside the score rather than sorting the patch queue purely by the number — an MNRF is a worse operational outcome than its base score communicates, and treating it as just-another-7.5 underweights it.
There is a design lesson embedded in the memory-sensitivity note as well. CISA observing that "devices with less memory are more likely to be affected" is a tell that the fault path involves resource exhaustion or an allocation that the smaller controllers cannot satisfy gracefully. That is the signature of a system that does not bound the resources a single incoming message can consume. Robust embedded design caps the work any one request can demand and rejects messages that would exceed that budget rather than entering a degraded state. The fact that the cheaper, more widely deployed hardware is the most exposed inverts the usual comfort that flagship gear takes the first hit — here the long tail of small controllers running critical processes is the population most at risk, and that is precisely the population least likely to have a tested re-download procedure on hand.