External risk intelligence

5380/5480/5580 Controller Firmware Denial-of-Service Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2025-11698

The vulnerability affects boot firmware in hardware controllers. Such components are typically deeply embedded, managed locally or within isolated industrial control networks, and are not designed for direct exposure to the public internet.

Buffer Overflow

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A denial-of-service vulnerability has been identified in the boot firmware of certain industrial controllers. If exploited, an attacker could write invalid data, causing the device to become permanently unresponsive, disrupting operations. The primary concern is to confirm whether these specific controller models are in use and, if so, to understand the potential for exposure.

  • Uncontrolled data writing can crash industrial controllers.
  • Confirms if specific controller models are in use.
  • Assess relevance and confirm exposure in your environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending invalid file data to vulnerable controllers, potentially leading to a major non-recoverable fault. This scenario implies an attacker capable of interacting with the controller's file system, possibly through a network connection or other means of data input.

  • Requires network access to the controller.
  • Achieved by writing invalid file data.
  • Results in a non-recoverable device fault.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability affects specific industrial controllers, potentially allowing a malicious user to write invalid file data to the controller. When supported by the advisory, this could cause the device to enter a major non-recoverable fault (MNRF), disrupting its normal operation.

  • Industrial controller boot firmware is at risk.
  • Invalid file data could be written.
  • Device may enter a non-recoverable fault.

Operational Fix

Recommended remediation, mitigation, and detection steps

This denial-of-service vulnerability in controller boot firmware requires infrastructure or platform teams to identify affected devices. The first practical step is to locate all instances of the affected hardware, assess their network reachability and business criticality, and then assign ownership for remediation planning based on the identified risk.

  • Infrastructure or platform teams own.
  • Verify device reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What are the 5380, 5480, and 5580 controllers?

These are industrial controllers used to manage automated processes and machinery in manufacturing or infrastructure environments. They rely on boot firmware to initialize hardware operations upon startup. The controllers are specialized computing platforms that execute logic to control physical devices, making the integrity of their boot firmware essential for reliable, continuous operation.

What is the vulnerability in CVE-2025-11698?

This CVE involves a weakness categorized as CWE-120, which relates to improper handling of data buffer boundaries. In this specific case, the controller's boot firmware does not properly validate incoming file data. This allows an attacker to write invalid data into the system, overwhelming the device and forcing it into a major non-recoverable fault state, effectively rendering the hardware unusable.

How can an attacker trigger this fault?

An attacker triggers this condition by sending malformed or invalid file data to the controller. This requires network access to the device. The bug is not triggered by standard operations or valid configuration updates; it specifically requires a malicious action intended to push corrupt data into the device's file-handling processes to cause the fault.

Do I need to worry about this if my controller is internal?

Halo Surface Signal indicates that this risk is very unlikely for devices not exposed to the public internet. Because these controllers are typically housed in isolated industrial networks or managed locally, they are not usually accessible from outside environments. If your controllers are physically or logically segmented from external networks, the likelihood of an attacker reaching them is significantly reduced.

What should I do first if I use these controllers?

Your first step is to perform an inventory to locate all 5380, 5480, and 5580 controllers in your environment. Once identified, verify their current boot firmware version. If you find units running firmware older than version 1.072, assess their network connectivity and business criticality to prioritize them for remediation planning, which involves coordinating with your infrastructure or platform teams.

References