Search
On this page ▾
CVE-2017-12233 — Cisco IOS Software Common Industrial Protocol Request Denial-of-Service Vulnerability

CVE-2017-12233

Cisco IOS — CIP Implementation Flaw Causes Unauthenticated Remote DoS; ICS/OT Network Risk; September 2017 Advisory Bundle
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Cisco IOS and the CIP Protocol?

Cisco IOS is the operating system on Cisco network infrastructure devices. The Common Industrial Protocol (CIP) is an industrial automation protocol used in manufacturing and process control environments — originally designed for factory floor networks but increasingly bridged onto enterprise Ethernet networks. Cisco IOS supports CIP to enable routing and switching of CIP-based industrial communications. DoS vulnerabilities in the CIP implementation are particularly significant in industrial environments where a router reload can directly disrupt manufacturing processes, SCADA systems, and operational technology (OT) networks.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-12233 is a denial-of-service vulnerability in the Cisco IOS Common Industrial Protocol (CIP) feature. An unauthenticated remote attacker can send specially crafted CIP request packets to an affected IOS device, causing it to reload and disrupting all traffic it is forwarding. Patched in the Cisco September 2017 advisory bundle. The CIP-specific nature of this vulnerability makes it particularly relevant for industrial and critical infrastructure environments where Cisco IOS devices forward CIP traffic between IT and OT network segments. CISA added CVE-2017-12233 to the KEV catalog in March 2022.

Affected Versions

Cisco IOS versions with CIP functionality enabled. Use the Cisco IOS Software Checker and advisory cisco-sa-20170929-cip for specific affected version identification.

Technical Details

Root Cause: Improper Input Validation in CIP Packet Processing

CVE-2017-12233 is an improper input validation vulnerability (CWE-20) in the Cisco IOS CIP (Common Industrial Protocol) implementation. When the CIP feature processes a specially crafted CIP request packet, insufficient validation allows the packet to trigger a code path that results in a device reload. The vulnerability does not provide confidentiality or integrity impact — the attack causes availability loss through device restart.

ICS/OT context: In industrial environments where Cisco IOS routers bridge IT and OT networks, a device reload disrupts:

  • Real-time communications between SCADA systems and field devices
  • PLC programming and monitoring sessions
  • Safety system communications
  • Production monitoring and control

Attack Characteristics

Attribute Detail
Attack Vector Network — remote, no authentication required
Protocol CIP (Common Industrial Protocol) on IOS
Impact Device reload → ICS/OT communication disruption

Exploitation Context

  • Critical infrastructure ICS targeting: CISA's March 2022 KEV addition of CIP-related Cisco IOS DoS vulnerabilities aligns with documented nation-state activity targeting US industrial control systems; Russian state-sponsored actors (Dragonfly/Berserk Bear) have specifically targeted ICS/OT network infrastructure at US energy utilities
  • IT/OT convergence risk: Cisco IOS routers that bridge IT and OT network segments are on the boundary of the most sensitive industrial operations; disrupting these devices via CIP-based DoS can cause industrial process interruptions even without accessing OT systems directly

Remediation

CISA BOD 22-01 Deadline: March 24, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply Cisco IOS security update — upgrade to the IOS version identified in cisco-sa-20170929-cip using the Cisco IOS Software Checker.

  2. Disable CIP if not required — if the affected IOS device does not need to route CIP traffic, disable the CIP feature to eliminate this attack surface.

  3. Segment IT/OT networks — implement strict network segmentation between IT and OT environments; restrict which devices can send CIP traffic to Cisco IOS routers.

  4. Apply industrial network ACLs — configure access control lists to permit CIP traffic only from authorized industrial automation systems.

Key Details

PropertyValue
CVE ID CVE-2017-12233
Vendor / Product Cisco — IOS software
NVD Published2017-09-29
NVD Last Modified2026-01-12
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SeverityHIGH
CWE CWE-20 — Improper Input Validation find similar ↗
CISA KEV Added2022-03-03
CISA KEV Deadline2022-03-24
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-03-24. Apply updates per vendor instructions.

Timeline

DateEvent
2017-09-27Cisco releases September 2017 security advisory bundle patching CVE-2017-12233
2017-09-29CVE-2017-12233 published by NVD
2022-03-03Added to CISA Known Exploited Vulnerabilities catalog
2022-03-24CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-12233 Vulnerability Database
CISA KEV Catalog Entry US Government
Cisco Security Advisory cisco-sa-20170929-cip Vendor Advisory

Last updated: 2026-05-25

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML