External risk intelligence

5380 5480 5580 Controller Denial of Service Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2025-12012

The vulnerability affects industrial controllers, which are typically deployed in segmented operational technology (OT) or internal control networks. While they may be network-reachable in some environments, direct exposure to the public internet is uncommon and generally inconsistent with standard industrial deployment security practices.

Buffer Overflow

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A denial-of-service vulnerability has been identified in certain industrial controllers that could allow a malicious actor to disrupt operations by writing invalid data to the device, potentially causing it to enter a non-recoverable fault state. The main concern is confirming relevance and exposure to your specific environment.

  • Disruption of industrial controllers via data corruption.
  • Critical systems can be rendered inoperable.
  • Confirm operational technology exposure.

Attack Path

How an attacker could exploit the issue

A malicious actor could send invalid file data to the controller, leading to a denial-of-service condition. This could cause the device to enter a major non-recoverable fault, disrupting operations.

  • No special access required.
  • Write invalid file data to the controller.
  • Device enters unrecoverable fault.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect the availability of 5380/5480/5580 controllers. When supported by the advisory, a malicious user could write invalid file data to the controller, leading to a major non-recoverable fault.

  • Controller availability.
  • Invalid file data can be written.
  • Device enters a major fault.

Operational Fix

Recommended remediation, mitigation, and detection steps

The denial-of-service vulnerability in affected controllers likely falls under the purview of industrial control system (ICS) or operational technology (OT) teams, possibly in coordination with network and security teams. The first practical step is to identify all instances of these controllers, determine their network reachability and business criticality, and then identify the specific teams or individuals accountable for their management and remediation.

  • Ownership: ICS/OT and Network/Security teams.
  • Verify first: Controller presence and exposure.
  • Action: Plan risk-based remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What are 5380, 5480, and 5580 controllers?

These are specialized industrial controllers used to manage automated processes and machinery in manufacturing and infrastructure environments. They serve as the "brains" of operational technology systems, executing logic to keep equipment running reliably. Because they are designed for performance in industrial settings, they rely on specific communication pathways to receive instructions and manage file data necessary for their daily tasks.

What is the nature of the CVE-2025-12012 vulnerability?

This flaw is classified as a buffer copy without checking size of input, known as CWE-120. In simple terms, the device does not properly validate the data it receives before processing it. By sending malformed or invalid file data, an attacker can overwhelm the controller's memory handling, forcing it to stop functioning completely and enter a critical, non-recoverable state that requires manual intervention.

How can an attacker trigger this fault in the controller?

The issue is triggered when a sender transmits specifically crafted, invalid file data to the controller. The device does not require any specialized authentication or user interaction to be vulnerable to this data; if it accepts the malformed input, it crashes. Normal, valid operational data traffic does not trigger this fault, as the vulnerability is specific to the way the device attempts to process corrupted or incompatible file inputs.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that while these controllers are technically network-reachable, they are typically found in segmented internal networks rather than on the public internet. Because these devices are usually tucked away in industrial control zones, the likelihood of direct, unauthorized access from outside your facility is considered low, provided your network segmentation practices are functioning as intended.

What should I do if I use these controllers?

Your first step is to conduct an internal inventory to locate all instances of the 5380, 5480, and 5580 models within your environment. Once identified, work with your industrial control systems and network teams to verify if these devices have any unintended external connectivity. Focus on assessing the business criticality of each unit to prioritize which systems need protection while you await further guidance or updates from the vendor.

References