External risk intelligence

5370/5570 Controllers Remote Denial-of-Service via Invalid Project Load

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2025-12011

The vulnerability affects industrial controllers, which are typically deployed within segmented operational technology (OT) networks or behind industrial firewalls rather than directly exposed to the public internet. While network-reachable in some internal environments, public internet exposure for these specific controller models is uncommon in standard deployment patterns.

Buffer Overflow

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A denial-of-service vulnerability has been identified in specific industrial controllers that could allow a remote user to cause a critical, unrecoverable system fault. The main concern is confirming relevance and exposure within your operational technology environments.

  • Remote attackers can cause system failure.
  • Affects industrial controllers; confirm operational relevance.
  • Understand potential operational disruption.

Attack Path

How an attacker could exploit the issue

An attacker could target this vulnerability by remotely sending specially crafted project data to a vulnerable controller. If the controller attempts to load this invalid project, it can become unresponsive due to a critical, unrecoverable fault.

  • Remote access to the controller is required.
  • Loading an invalid project triggers the issue.
  • The device enters a major fault state.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect the availability of 5370/5570 controllers when an invalid project is loaded remotely. This may cause the device to enter a major non-recoverable fault (MNRF), disrupting its normal operations.

  • Controller availability is at risk.
  • Remote loading of invalid projects.
  • Device enters unrecoverable fault.

Operational Fix

Recommended remediation, mitigation, and detection steps

The denial-of-service vulnerability in 5370/5570 controllers, which can be triggered by loading an invalid project, likely falls under the responsibility of operational technology (OT) infrastructure teams or platform owners. The first practical step is to identify all deployed 5370/5570 controllers within the environment, determine their network reachability and business criticality, and confirm the accountable owner before planning remediation.

  • Identify controller ownership and scope.
  • Verify device reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What are 5370 and 5570 controllers?

These are industrial automation controllers often used to manage critical processes in manufacturing, energy, and infrastructure. They act as the brains for automated machinery and industrial systems, executing logic programs to control equipment. Because they reside at the core of operational technology, maintaining their constant availability is essential for safety and production continuity.

What is the vulnerability in CVE-2025-12011?

This CVE describes a denial-of-service weakness, specifically classified as a buffer copy without checking size of input, or CWE-120. When the controller processes malformed project data, the software fails to handle the input safely. This causes the system to crash and enter a major non-recoverable fault, effectively halting the controller's operations until manual intervention occurs.

How is this denial-of-service triggered?

An attacker must remotely send a specially crafted, invalid project file to the controller. The vulnerability is triggered only when the device attempts to load and execute this corrupt data. Simply having network connectivity to the controller does not cause a fault; the system must specifically be instructed to process the malicious project file for the failure to occur.

Is my device at risk based on Halo Surface Signal?

According to Halo Surface Signal, these controllers are typically housed within segmented, internal industrial networks rather than on the public internet. While they are reachable from within your internal network, the likelihood of public exposure is low. You should prioritize assessing controllers that are bridged to less-secure corporate networks or have broader administrative access.

What should I do if I run these controllers?

First, conduct an inventory of all 5370 and 5570 units in your environment to understand your footprint. Verify which controllers are reachable from other network segments and assess their business criticality. Once you identify the accountable teams for these specific assets, coordinate with them to review your network segmentation and monitor for unauthorized attempts to load project data onto the devices.

References