CVE-2026-9307 | A sensitive information disclosure security issue exists wit… | CVSS 6.3 MEDIUM

Description

A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller's web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on the network. This information can be leveraged by an attacker to construct malicious packets, leading to Denial-of-Service.

Metadata

CVE ID: CVE-2026-9307
State: PUBLISHED
Assigner: Rockwell
Reserved: 2026-05-22 18:09 UTC
Published: 2026-06-16 13:42 UTC
Last updated: 2026-06-16 17:49 UTC
Primary CWE: CWE-497
CWE-497 Exposure of sensitive system information to an unaut…
Vendor / Product: Rockwell Automation / CompactLogix 5370
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Rockwell Automation	CompactLogix 5370	—	V36

Weakness (CWE)

CWE	Source	Description
CWE-497	cna	CWE-497 Exposure of sensitive system information to an unauthorized control sphere

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (1)

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1776.html