URGENT/11 – Programmable Logic Controllers Vulnerabilities (CVE-2019-12255,CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12265, CVE-2019-12259, CVE-2019-12264, CVE-2019-12262, CVE-2019-12258, CVE-2019-12257, CVE-2019-12256)

URGENT/11 is a set of vulnerabilities that affects operational technology (OT) devices and CDPwn of Cisco devices, which was reported by the IoT security firm – Armis.  Despite fixes being delivered in 2019, Armis researchers observed that 97%  of the OT devices impacted by URGENT/11 and 80% of devices affected by CDPwn were vulnerable/unpatched.

Ben Seri of Armis says that they’ve researched on Rockwell and Schneider PLCs and for CDPwn, looked at Cisco Nexus Switches and Cisco VoIPs (78xx series and 88xx series). VxWorks managed by Wind River had 11 zero-day vulnerabilities disclosed in this research. VxWorks is an operating system used in medical, industrial as well as enterprise devices.

URGENT/11 could be dangerous as it allows nefarious attackers to take full control of devices without any user interaction. It also has the capability of bypassing perimeter security such as firewalls and NAT solutions. Again, due to ‘wormable’ behavior, it has the potential to propagate malware resembling to WannaCry or EternalBlue.

Armis research team have demonstrated exploiting PLCs of Rockwell PLC , Schneider Electric PLC as well as URGENT/11 DoS attack on PLCs.

Out of the CVEs listed below, 6 of them result in RCE and 5 of them could lead to DoS and informational leak, together forming URGENT/11.

CVE Vulnerability Name QID
CVE-2019-12256 Stack overflow in the parsing of IPv4 options 13534
CVE-2019-12257 Heap overflow in DHCP Offer/ACK parsing in ipdhcpc
CVE-2019-12258 TCP connection DoS via malformed TCP options
CVE-2019-12262 Handling of unsolicited Reverse ARP replies (Logical Flaw)
CVE-2019-12264 Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
CVE-2019-12259 DoS via NULL dereference in IGMP parsing
CVE-2019-12265 IGMP Information leak via IGMPv3 specific membership report
CVE-2019-12255,CVE-2019-12260, CVE-2019-12261, CVE-2019-12263 Four memory corruption vulnerabilities stemming from erroneous handling of TCP’s Urgent Pointer field

Affected Versions

VxWorks version 6.5 and later.

The list of devices that use VxWorks OS includes SCADA devices, Industrial controllers, Patient monitors, MRI machines, Firewalls, VOIP phones as well as Printers.


Wind River has created and fully tested patches for the security vulnerabilities that were discovered in the TCP/IP stack (IPnet) – a component of certain versions of VxWorks.

Qualys Detection

Qualys customers can scan their network with QID 13534 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References and Sources











Leave a Reply

Your email address will not be published. Required fields are marked *