Censys, a prominent cybersecurity research firm, has raised an alarming warning regarding the exposure of over 5,000 Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) on the internet. This vulnerability is particularly concerning due to active targeting by Iranian-affiliated Advanced Persistent Threat (APT) actors, who are increasingly focusing on devices that form critical components of the U.S. infrastructure.
The APT group in question has a history of targeting operational technology (OT) systems, as evidenced by their previous activities in November 2023, when they successfully compromised at least 75 Unitronics PLCs within U.S. water and wastewater facilities. Such consistent attacks indicate a sustained interest in exploiting vulnerabilities within OT systems, which are integral to various industrial operations.
On April 7, 2026, a coalition of U.S. agencies—including the FBI, CISA (Cybersecurity and Infrastructure Security Agency), NSA, EPA, DOE, and U.S. Cyber Command—released a joint advisory labeled AA26-097A. This advisory meticulously outlined the ongoing exploitation of internet-facing Rockwell and Allen-Bradley PLCs by Iranian-linked actors. Notably, these cyber threats have been traced back to the IRGC Cyber Electronic Command, alongside a specific group known as CyberAv3ngers.
Current activities, documented since at least March 2026, rely heavily on legitimate Rockwell development tools such as Studio 5000 Logix Designer. Remarkably, these tools allow attackers to connect directly to exposed PLCs, edit project files, and manipulate human-machine interface (HMI) or supervisory control and data acquisition (SCADA) display data without the need for zero-day vulnerabilities. The confirmed targets primarily include those from the CompactLogix and Micro850 families, and experts warn that concurrent investigations into Modbus and Siemens S7 traffic suggest a wider range of multi-vendor targeting.
According to telemetry data from Censys, there are precisely 5,219 internet-exposed hosts responding on the EtherNet/IP protocol (port 44818), identifying themselves as Rockwell Automation and Allen-Bradley devices. The majority of this exposure is alarming, with the United States accounting for a striking 74.6% of these vulnerable PLCs—3,891 hosts—illustrating Rockwell’s dominant role in the North American industrial automation scene.
Internationally, other countries also show concerning levels of exposure. Spain stands out with 110 exposed devices, while Taiwan and Italy follow with 78 and 73, respectively. Uniquely, Iceland presents a noteworthy case with 36 exposed devices despite its relatively small population and considerable reliance on industrial control systems, particularly for geothermal energy operations.
The sectors most at risk include government services, water, and wastewater systems, as well as energy sectors—all of which are frequent users of Rockwell PLCs in their operational environments. Analysis from ASN (Autonomous System Number) reveals a troubling trend: nearly two-thirds of the exposed Rockwell PLCs are operating on consumer and business cellular networks rather than dedicated industrial or data center providers. For instance, Verizon Business (CELLCO-PART) hosts a staggering 2,564 exposed PLC endpoints, accounting for 49.1% of the global total, while AT&T Mobility contributes 13.3% with 693 additional devices.
This distribution suggests that many of these control systems are field-deployed assets positioned in remote locations, such as pump stations, which are linked directly to the public internet via cellular modems. An assessment by Censys also indicates a smaller yet noteworthy subset of exposure on SpaceX’s Starlink service, emphasizing the increasing vulnerability of satellite-connected OT endpoints, which are notoriously challenging to monitor and secure.
The exposure doesn’t stop at basic PLC identities but extends to various services that could be exploited. Unauthenticated EtherNet/IP responses allow potential attackers to discern PLC models and firmware versions. Notably, many MicroLogix 1400 controllers are reportedly running outdated firmware versions, which can be easily identified by adversaries as prime targets due to their lower levels of support.
Censys further observes significant co-exposure of additional protocols and services such as VNC (771 instances), Telnet (280), and Modbus (292). This confluence of services creates a broader attack surface, offering potential attackers direct avenues to access HMI workstations and multi-vendor OT management interfaces, thus aligning with the advisory’s warnings of multi-protocol probing and SCADA manipulation.
The advisory from CISA includes eight IP indicators, but a deeper investigation by Censys has yielded more refined insights. Notably, seven of the IP addresses in the 185.82.73.x range are traced back to a singular, multi-homed Windows engineering workstation running the complete Rockwell toolchain. This workstation has exposed Remote Desktop Protocol (RDP) services on a non-standard port, suggesting a weak security posture.
As the threat landscape evolves, U.S. agencies and cybersecurity experts are urging operators of Rockwell PLCs to take immediate action. They recommend disconnecting all PLCs from direct internet access and channeling remote connectivity through secure gateways, such as VPNs or jump hosts. Additional recommended measures include eliminating vulnerable services like Telnet and VNC, enforcing strong authentication protocols for cellular and satellite links, and maintaining offline backups of PLC configurations and HMI/SCADA projects.
The stark reality of thousands of exposed Rockwell/Allen-Bradley PLCs coupled with active Iranian-affiliated operations targeting these devices underscore that the risks are very much real and present. The advisory and the data provided by Censys emphasize the need for organizations to recognize the urgency and take appropriate security measures to mitigate the ongoing threats that pose significant operational and safety implications for U.S. critical infrastructure.