2025-02-27 - Version 2

How to find Rockwell Automation devices

Latest Rockwell Automation vulnerability

Rockwell Automation has disclosed a vulnerability in their GuardLogix and Compact GuardLogix products.

CVE-2025-24478 is rated high, with a CVSS score of 7.1. Successful exploitation of this vulnerability would allow attackers to create an unrecoverable denial-of-service condition, requiring power cycling of the device to restore function. This vulnerability is exploitable over the network and without authentication.

The following devices are affected by this vulnerability:

GuardLogix 5580 (SIL 3 with the safety partner 3): Versions prior to V33.017, V34.014, V35.013, V36.011
Compact GuardLogix 5380 SIL 3: Versions prior to V33.017, V34.014, V35.013, V36.011

Are updates or workarounds available?

Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially vulnerable systems:

hw:"Rockwell Automation%Logix%5_80"

October 2024: FactoryTalk ThinManager

Rockwell Automation has disclosed multiple vulnerabilities in their FactoryTalk ThinManager product.

CVE-2024-10386 is rated critical, with a CVSS v4 score of 9.3 and allows attackers with network access to send specially crafted packets that result in database manipulation.

CVE-2024-10387 is rated high, with CVSS v4 score of 8.7 and allows attackers with network access to send specially crafted packets to the device potentially triggering a denial-of-service.

The following versions are currently affected by these vulnerabilities:

ThinManager: Versions 11.2.0 to 11.2.9
ThinManager: Versions 12.0.0 to 12.0.7
ThinManager: Versions 12.1.0 to 12.1.8
ThinManager: Versions 13.0.0 to 13.0.5
ThinManager: Versions 13.1.0 to 13.1.3
ThinManager: Versions 13.2.0 to 13.2.2
ThinManager: Version 14.0.0

Are updates or workarounds available?

Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible. In addition, users are advised to limit communications to TCP 2031 to only the devices that need connection to the ThinManager.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND tcp:2031

September 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-6077 is rated high, with a CVSS v4 score of 8.7.

Are updates or workarounds available?

Rockwell Automation has released patches and guidance for affected systems. Users are advised to upgrade as quickly as possible. Users may also disable CIP security on these devices to mitigate the issue.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

August 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-40619 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed CIP packet which causes a device to crash and require a manual restart.

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
ControlLogix 5580	v34.011	v34.014+
GuardLogix 5580	v34.011	v34.014+

Are updates or workarounds available?

Rockwell Automation suggests updating devices to the corrected firmware revision.

CVE-2024-7515 is rated high with CVSS score of 8.6 and indicates a denial-of-service scenario due to a malformed PTP management packet which causes a device to crash and require a manual restart.
CVE-2024-7507 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed PCCC packet which causes a device to crash and require a manual restart.

Rockwell Automation suggests updating devices to the corrected firmware revision. Additionally, they recommend restricting communication to CIP object 103 (0x67).

Affected Product	Firmware Revision Prior To	Corrected in Firmware Revision
CompactLogix 5380 (5069 – L3z)	v36.011, v35.013, v34.014	v36.011, v35.013, v34.014
CompactLogix 5480 (5069 – L4)	v36.011, v35.013, v34.014	v36.011, v35.013, v34.014
ControlLogix 5580 (1756 – L8z)	v36.011, v35.013, v34.014	v36.011, v35.013, v34.014
GuardLogix 5580 (1756 – L8z)	v36.011, v35.013, v34.014	v36.011, v35.013, v34.014
Compact GuardLogix 5380 (5069 – L3zS2)	v36.011, v35.013, v34.014	v36.011, v35.013, v34.014

In all of the cases above users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

August 2024: ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules

On August 1st, 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules products.

CVE-2024-6242 is rated high with CVSS score of 7.3 and allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller.

Successful exploitation of these vulnerabilities on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.

Are updates or workarounds available?

Rockwell Automation recommends upgrade devices to apply fixes for the affected devices.

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
ControlLogix® 5580 (1756-L8z)	V28	V32.016, V33.015, V34.014, V35.011 and later
GuardLogix® 5580 (1756-L8zS)	V31	V32.016, V33.015, V34.014, V35.011 and later
1756-EN4TR	V2	V5.001 and later
1756-EN2T , Series A/B/C 1756-EN2F, Series A/B 1756-EN2TR, Series A/B 1756-EN3TR, Series B	v5.007(unsigned) / v5.027(signed)	No fix is available for Series A/B/C. Users can upgrade to Series D to remediate this vulnerability
1756-EN2T, Series D 1756-EN2F, Series C 1756-EN2TR, Series C 1756-EN3TR, Series B 1756-EN2TP, Series A	1756-EN2T/D: V10.006 1756-EN2F/C: V10.009 1756-EN2TR/C: V10.007 1756-EN3TR/B: V10.007 1756-EN2TP/A: V10.020	V12.001 and later

Additionally, limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"1756-EN2" OR hw:"1756-EN3" OR hw:"1756-EN4"

April 2024: ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR

In April 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.

CVE-2024-3493 was rated high with CVSS score of 8.6 and involved a specific malformed fragmented packet type which could cause a major nonrecoverable fault (MNRF) in Rockwell Automation’s ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product would become unavailable and require a manual restart to recover it.

What was the impact?

Successful exploitation of these vulnerabilities resulted in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Rockwell Automation provided software updates for the impacted versions.

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
ControlLogix® 5580	V35.011	V35.013, V36.011
GuardLogix 5580	V35.011	V35.013, V36.011
CompactLogix 5380	V35.011	V35.013, V36.011
1756-EN4TR	V5.001	V6.001

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users could use the following query to locate systems running potentially vulnerable software:

hw:"1756-EN4TR"

March 2024: Rockwell Automation PowerFlex 527

In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.

CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.

CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.

What was the impact?

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available?

Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.

Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable PowerFlex products

From the Asset Inventory, runZero users used the following query to locate systems running potentially vulnerable software:

hw.product:"powerflex"

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

2025 runZero

NordLayer is bringing next-level security to organizations: introducing a new-gen Enterprise Browser

Summary: The future of secure browsing is here. NordLayer’s new-gen Enterprise Browser with NordVPN standards is coming. Join the waiting list today.

Today, web-based apps are at the heart of business operations, with 80% of work done in a web browser. As companies move core tools online for flexibility, collaboration, and real-time updates, the browser has become both the new workspace and the frontline of cyber risks.

The growing adoption of bring-your-own-device (BYOD) policies adds another layer of threats. Two-thirds of organizations say at least 50% of their network devices are unmanaged, with growing risks from phishing and malware to unauthorized data sharing. That’s why CISOs and security teams are shifting their focus to this expanded attack surface.

If your business relies on web-based applications, like Google Docs, Hubspot, Salesforce, Asana, Figma, Microsoft 365, and many others, an enterprise browser is no longer optional. It’s a critical part of your cybersecurity strategy. It helps protect business data while reducing the risks and costs of handling unmanaged devices.

For NordLayer, introducing an enterprise browser is a natural next step. Backed by Nord Security and built on the NordVPN standard, we’ve strengthened business network defense. Now, we’re bringing that protection to the browser.

In this article, we’ll explore the rise of web-based apps, the security challenges they bring, why traditional browsers aren’t enough for business security, and what to expect from the NordLayer Enterprise Browser.

Key takeaways

Browsers are becoming the main workspace, making collaboration easy and supporting growth. But they also bring web-based risks.
Unlike traditional browsers, the NordLayer Enterprise Browser will focus on providing more control and security for organizations of all sizes.
With the NordLayer Browser, users can safely access web-based applications, reducing risks, such as phishing attacks, malware infiltration, unauthorized data sharing, and unsafe file transfers.
CISOs and security teams will have greater control, from monitoring activity to managing resource and network access, all without disrupting workflows.

Why the future of work is browser-based

Web-based apps are replacing traditional desktop software, and browsers are becoming the main workspace. According to Forbes, half of workers can do their entire job in a web browser.

But while browsers have become essential in modern workflows, they are also vulnerable to attacks. Every session is a roll of the dice, with risks lurking at every click.

Unmanaged devices add to the problem. As the 2024 Browser Security Report states, 62% of employees access corporate data on unmanaged devices, and 45% use personal browser profiles on work devices. This exposes businesses to data leaks and phishing.

And it’s not just users. Many organizations report that at least half of their network devices are unmanaged, creating a massive blind spot for security teams. But unmanaged doesn’t mean it should be ignored—CISOs and security teams still need solutions to protect it. Without proper security, the browser can be a ticking bomb.

According to Gartner, enterprise browsers will be the go-to tool for productivity and security by 2030. They’ll work across both managed and unmanaged devices, making hybrid work smoother than ever.

The future of work is clearly browser-based. But while it has many benefits, it also raises new risks for business data exposure. Let’s take a closer look at the dangers of traditional browsers.

The hidden risks of traditional browsers

Traditional web browsers like Chrome or Firefox have basic built-in security features, but they aren’t designed for business needs. They’re tailored more for personal use, not for protecting corporate sensitive data.

In contrast, enterprise browsers give security teams the power to centrally control settings, enforce security policies, and gain detailed visibility—something that traditional browsers just can’t match.

Now, let’s take a closer look at the risks that come with using regular browsers in the workplace:

Limited control: IT teams have little visibility or ability to enforce security policies.
Weak data protection: Consumer browsers lack enhanced security features and management controls tailored for business environments.
Unmanaged updates: Users may delay updates, leaving browsers vulnerable to known exploits.
Lack of security enforcement: Employees can bypass security settings, leaving the company exposed to attacks.
Risky third-party integrations: Syncing personal accounts or using unvetted browser add-ons can compromise sensitive business data.
Lack of centralized observability. Admins can’t observe and mitigate insider threats or user behavior risks.

That’s why your organization needs an enterprise browser—a tool for securing sensitive data at every level.

Why businesses should use enterprise browsers

With remote work, web-based tools, and BYOD policies becoming the norm, businesses need a browser that works for them—not against them. Traditional browsers lack the security, observability, and management features organizations require, leaving security teams without the tools to detect threats, respond effectively, and control access. With greater visibility, they can shift from reactive fixes to proactive threat prevention and informed decision-making.

Enterprise browsers offer a smarter way to secure work without disrupting employees. They provide:

Centralized security control: Admins can enforce policies, restrict risky behaviors, and help ensure compliance.
Stronger threat prevention: Built-in security features and data collection help detect and mitigate threats.
Simplified network security: Ideal for organizations with unmanaged devices, helping ensure security without requiring additional endpoint software.
Better BYOD support: Employees can securely access company resources through the enterprise browser.
A user-friendly approach: Employees don’t need to install intrusive security apps—admins manage only the dedicated work browser, keeping personal browsing separate.

The way businesses work has changed, and their browsers should, too. Enterprise browsers combine security, control, and ease of use, helping organizations stay ahead of cyber threats without adding complexity.

Why NordLayer’s upcoming Enterprise Browser stands out

NordLayer, a part of Nord Security and built on the NordVPN standard, goes beyond traditional security. Our multi-layered complete security solution keeps businesses a step ahead. Now, we’re building an enterprise browser designed to put security and functionality first.

NordLayer Browser is designed for the way companies work today. Security teams will be able to manage security settings and network access, as well as monitor activity, all while ensuring that users can work without disruptions.

“Introducing an enterprise browser is a natural progression for us. We’ve established a strong foundation in securing business networks, empowering organizations to protect and manage their traffic at the network level. And over the past two years, we’ve already made strides in the browser security space with the launch of our Browser Extension. As enterprises increasingly depend on web applications, it’s clear that the browser has become a critical gateway essential not just for productivity but also as a frontline for security,” says Donatas Tamelis, managing director at NordLayer. “With the introduction of a full-fledged enterprise browser, CISOs and security teams will be able to control security settings in the browser, manage network access and segmentation, and observe users’ activity—without interrupting them.”

What you can expect from the NordLayer Enterprise Browser

Enhanced security measures and more control: The browser will offer high-level observability and full-scale response features—all in one package.
A combination of ZTNA and SWG for a unified solution. The browser will merge years of NordLayer experience and the capability to combine Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG) features into one solution.
Data loss prevention (DLP). Controls for copy-paste functionality, as well as camera and microphone use and prevention of unauthorized downloads and uploads, will help protect sensitive company information.
Centralized control. The enterprise browser will allow CISOs and security teams to establish and enforce advanced security policies for all users effortlessly.
Support for business growth. Designed to scale with businesses, it will ensure security without disrupting workflows or compromising employee productivity.

Let’s now discuss how our browser will address web-based threats.

Challenges NordLayer Enterprise Browser will solve

As more work moves online, businesses are facing three major security challenges. The need for robust protection has never been greater. That’s why our upcoming browser is designed to tackle them head-on:

Securing the shift to web-based apps: As more businesses rely more on web-based applications, a secure browser is essential for protection and smooth operations.
Refined device oversight: Our browser will allow businesses to transition from fully managed to partially unmanaged hardware, reducing device management costs.
Enhancing web security: Since browsers are prime targets for threats, we’re building a browser that will defend against malicious websites, phishing, and more.

Key benefits in development

Our browser will simplify security so you can focus on what matters—your work. Here are its benefits for IT admins.

Observability: Full visibility into browser activity.
Access management: Precise control over access permissions.
Threat mitigation: Protection from internal and external risks.
Cost reduction: Streamlined device management lowers costs.

But that’s not all. It will also ensure a seamless experience with added security for end-users working remotely with BYOD setups.

Join the future of safe browsing with NordLayer

The future of secure browsing is here, and NordLayer is ready to lead the way. Our browser is designed to address modern workplace challenges. From protecting company resources to defending your business against web-based threats, we’ve got your back.

Don’t miss out. Join the waiting list now and stay tuned for all the latest updates. Your secure browsing journey starts with NordLayer. Today.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

From Endpoints to Identities: Why MSPs Need a User-Centric Approach

How many devices are you managing in your network?

That’s not a rhetorical question. A study found that 47% of companies allow employees to access their resources on unmanaged devices.

But how can you protect those unmanaged devices if you don’t even know who has access to them? Another important thought to consider is who accepts blame in the event of a breach. Hopefully, it’s not you or your team.

We’re going to discuss a strategy that makes each individual fully accountable for their actions. This is known as a user-centric approach. We’ll explore how this method works and how you can successfully implement it to strengthen your overall cybersecurity posture.

The Need for a User-Centric Approach

The rules have changed since COVID-19 introduced the WFH model. Literally, access was once granted freely without strict verification processes.

BYOD became the norm, with employees using personal devices to access confidential documents and communicate via private company Slack channels, often from a cafe or other public hotspot, without approval from IT. Yes, indeed, the cringe was quite real.

Employees and third parties enjoyed open access to the corporate network from any location and any device. This led to many security incidents and breaches, which forced organizations and IT departments to rethink how access should be granted.

This meant that any threat actor within proximity could potentially intercept all traffic and use it to launch a man-in-the-middle attack, exfiltrate data, or compromise user credentials.

Today, every device, user, and identity must be verified before accessing the corporate network. No exceptions. A user-centric approach connects the security dots back to a specific user in the organization and ensures accountability for every action taken.

A user-centric approach enables MSPs to deploy more effective BYOD policies and tighten access controls by focusing on the specific roles and needs of each user within the organization.

This involves isolating devices and implementing least privilege access, ensuring that users are granted only the minimum permissions necessary to perform their day-to-day tasks. For example, a third party providing outsourced services should not have access to financial transactions or payroll systems.

A user-centric approach greatly reduces the risk of unauthorized access or accidental data exposure that can lead to a breach. And why take that risk? Seriously.

4 Ways a User-Centric Approach Works for MSPs

Proactive threat monitoring: Suspicious user behavior, such as unusual login times or login attempts, might signal a threat actor in your network. A Managed Detection and Response (MDR) helps by continuously monitoring user activity and network traffic to detect and mitigate potential threats in real-time. An unknown user who tried to access your network from an unfamiliar location or unusual hour would be flagged by the MDR service, triggering automated alerts for further investigation.

Accountability: This refers to the ability to trace actions back to specific users. If a user attempts to access a system or application they’re not authorized to, an automated alert is sent out, notifying the security team that suspicious activity has been recorded and traced back to the individual user. Details such as the user’s identity, time of access attempt, geolocation, device type, and the resource in question all help security teams assess the situation and enforce internal policies before anything escalates.

Improved access controls: Does the junior analyst have access to financial slide decks or sensitive data unrelated to their role? A user-centric approach ensures they don’t. Instead, access is tightly controlled based on the principle of least privilege.

Multi-factor authentication (MFA) also helps improve access controls by requiring users to verify their identity through a second factor, linking all actions to verified identities and ultimately to the root cause or culprit of the potential threat.

Increased endpoint security: It’s one thing to keep track of how many endpoints are in your organization, and even that’s difficult, but imagine trying to do so for an enterprise with over 5,000 employees and a ton of unvetted third parties. If that’s not challenging enough, how about the number of identities continuously being created, updated, or removed across the organization? Is your head spinning yet?

Endpoint security is a constant battle without the right tools and strategies.

A user-centric approach focuses on securing devices by connecting them directly to the identities of the users who operate them. Whether it’s on a personal laptop, iPhone, or a corporate-issued desktop, every device is treated as an extension of the user’s identity.

Every last digital step can be traced back to an individual user, providing a clear audit trail of actions taken on that device. Did that user login from a secured gateway? Did they enable MFA? Was the device running the latest Windows OS updates before they shared a sensitive file?

A user-centric approach takes the guesswork out and helps address these critical questions from the endpoint, where most security breaches begin.

Guardz ensures that company-managed devices are fully protected and monitored from malicious threats. Guardz detects outdated operating systems and vulnerable software so you can take immediate action.

Amplify Threat Detection and Response with The Ultimate Cybersecurity Plan

Introducing a new user-centric approach to unified detection and response. The Ultimate Cybersecurity Plan for MSPs.

The Ultimate Cybersecurity Plan builds on the Guardz platform’s holistic, user-centric approach to security by incorporating managed SentinelOne EDR capabilities with Guardz MDR. Guardz empowers MSPs to monitor and resolve incidents from a single interface.

Guardz MDR aggregates signals from multiple layers of security identities, endpoints, email, cloud, and data into a user-centric analysis that detects complex indicators of compromise (IOCs) and automatically responds to them.

Enhance incident response times and go beyond endpoint protection with The Ultimate Cybersecurity Plan. Get automated detection and response today.

Speak with one of our experts

About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.

About Version 2 Digital

Guardz 2025