URGENT/11 vulnerabilities allow attackers to take control of embedded devices remotely without any user interaction and often without triggering traditional security defenses. Discovered in 2019, these eleven flaws in the IPnet TCP/IP stack affect millions of devices running VxWorks and other real-time operating systems across healthcare, manufacturing, and critical infrastructure.

Years later, a significant portion of vulnerable devices remain unpatched. This guide covers what URGENT/11 is, why it persists as a threat, and the practical mitigation steps security teams can take to protect both patchable and legacy systems.

What Is URGENT/11

URGENT/11 is a set of eleven vulnerabilities in the IPnet TCP/IP stack, a networking component found in VxWorks and several other real-time operating systems (RTOS). Armis researchers discovered the flaws in 2019, and they’re tracked as CVE-2019-12255 through CVE-2019-12265. All eleven are memory safety vulnerabilities—buffer overflows, heap-based corruption, and similar issues that have plagued compiled code for decades.

Six of the eleven carry critical severity ratings with CVSS scores of 9.8. The reason for the high scores is that attackers can exploit them remotely to execute arbitrary code with no user interaction required. The IPnet stack handles basic network communication, so a vulnerable device can be compromised simply by receiving a malformed packet.

Wind River, the company behind VxWorks, released patches shortly after disclosure. However, the nature of embedded deployments makes applying those patches far more complicated than updating typical enterprise software.

Why URGENT/11 Remains a Critical Threat to Embedded Systems

Years after the initial disclosure, URGENT/11 continues to pose a real risk. Embedded systems operate under constraints that make patching difficult. Devices deployed in hospitals, factories, and critical infrastructure often run for a decade or longer without updates.

Traditional network security relies on firewalls and NAT devices to filter malicious traffic. URGENT/11 vulnerabilities exist in the TCP/IP stack itself, which means exploit packets can appear as legitimate network traffic and pass through perimeter defenses undetected.

This characteristic makes URGENT/11 particularly dangerous for operational technology (OT) environments. OT refers to hardware and software that monitors or controls physical equipment—think factory floor systems, power grid components, or building automation systems. Teams in OT environments often assume network segmentation provides adequate protection, but URGENT/11 can slip through those boundaries.

Millions of Devices Remain Unpatched

CISA has issued multiple advisories on URGENT/11, yet a significant portion of vulnerable devices have never received patches. The reasons vary:

• End-of-life status: Vendors no longer support older device models
• Operational constraints: Patching requires downtime that production environments cannot tolerate
• Supply chain complexity: Device manufacturers may not have released firmware updates incorporating Wind River’s fixes
• Lack of visibility: Organizations often don’t know which devices contain the vulnerable stack

Devices and Industries Affected by URGENT/11

The IPnet stack appears in devices across multiple sectors. Understanding the scope helps security teams prioritize their response.

VxWorks Real-Time Operating Systems

VxWorks is the primary affected RTOS, widely deployed in mission-critical applications where reliability and deterministic performance matter. While Wind River released patches for supported versions, many deployments run older releases or exist in environments where updates simply aren’t practical.

Medical Devices and Healthcare Equipment

Patient monitors, infusion pumps, and imaging systems frequently run VxWorks. The FDA has issued guidance on medical device cybersecurity, but clinical environments face unique challenges. Taking a device offline for patching may directly impact patient care, so updates often get delayed indefinitely.

Industrial Control Systems and OT Networks

Industrial control systems (ICS), SCADA systems, and programmable logic controllers (PLCs) often rely on RTOS platforms. ICS refers to the systems that manage industrial processes, while SCADA (Supervisory Control and Data Acquisition) systems monitor and control infrastructure like power plants and water treatment facilities. These systems typically operate for decades, and OT networks historically prioritize availability over security updates.

Network Security Appliances

Ironically, some firewalls, routers, and VPN appliances are themselves vulnerable. Vendors including SonicWall and Xerox issued advisories for affected products. When security devices contain exploitable flaws, the implications extend across the entire network they protect. 

Industry	Example Devices	Primary Risk
Healthcare	Patient monitors, infusion pumps	Patient safety, data breach
Manufacturing	PLCs, HMIs, industrial controllers	Operational disruption
Networking	Firewalls, routers, switches	Network compromise
Aerospace/Defense	Avionics, mission systems	Safety, mission failure

Demo: Stopping Attackers from Exploiting URGENT/11 Vulnerabilities

URGENT/11 attacks require no phishing, no social engineering, and no user action. An attacker sends specially crafted packets to a vulnerable device, and the exploit triggers automatically. This “zero-click” characteristic makes URGENT/11 attractive to sophisticated threat actors looking for reliable entry points.

Five Mitigation Steps for URGENT/11 Vulnerabilities

Effective mitigation combines visibility, network controls, patching where possible, runtime protection, and monitoring. Here’s how each step works in practice.

1. Identify Vulnerable Devices Using SBOM Analysis

You can’t protect devices you don’t know about. A Software Bill of Materials (SBOM) is an inventory of software components in a build—think of it as an ingredient list for software. An accurate SBOM reveals whether IPnet or vulnerable RTOS versions exist in your environment.

Traditional vulnerability scanners often miss embedded system components because they’re designed for enterprise IT environments. Build-time SBOMs provide more accurate results, particularly for C/C++ codebases where dependency detection is notoriously difficult. RunSafe Identify generates file-based, build-time SBOMs specifically designed for embedded systems.

An accurate SBOM reveals:

• Component inventory: Libraries and third-party code in the build
• Version tracking: Specific versions that may contain known vulnerabilities
• Dependency mapping: Nested dependencies that may include IPnet

2. Implement Network Segmentation and Traffic Filtering

Isolating vulnerable devices limits an attacker’s ability to reach them and prevents compromised devices from spreading laterally. Even if you can’t patch a device, you can make it harder to exploit.

Effective network controls include:

• VLAN segmentation: Isolate embedded devices from general network traffic
• Firewall rules: Block TCP/UDP ports not required for device operation
• IDS/IPS deployment: Use signatures specific to URGENT/11 exploit patterns

Armis and other researchers have published SNORT rules that detect URGENT/11 exploitation attempts. Deploying SNORT signatures on intrusion detection systems adds a layer of visibility into potential attacks.

3. Apply Vendor Patches to Supported Systems

Where patches exist and can be applied, patching remains the most complete remediation. Key vendors that released updates include Wind River, Rockwell Automation, SonicWall, Spacelabs, and Xerox.

That said, patching embedded systems differs from patching enterprise software. Firmware updates may require physical access, scheduled downtime, or revalidation in regulated environments. For many organizations, patching addresses only a fraction of vulnerable devices—the rest require alternative approaches.

4. Deploy Runtime Protection for Legacy and Unpatchable Devices

When patching isn’t possible, runtime protection offers an alternative path. Memory safety protections can neutralize exploit techniques—buffer overflows, heap corruption, and similar attacks—even when the underlying vulnerability remains in the code.

RunSafe Protect provides automated runtime hardening for legacy embedded systems, reducing exploitability without requiring source code changes or recompilation. This approach is particularly valuable for devices that will never receive vendor patches due to end-of-life status or operational constraints.

Read a case study of how RunSafe Protect neutralized URGENT/11 vulnerabilities for a U.S. military weapons program. 

5. Monitor for Indicators of Compromise

Even with mitigations in place, continuous monitoring catches exploitation attempts and identifies compromised devices. Behavioral monitoring can detect anomalous device activity that suggests an attack in progress—such as unusual network traffic, unexpected crashes, or communication with unknown external addresses.

RunSafe Monitor tracks software crashes to identify potential exploitation attempts and filters false positives so teams can focus on genuine threats rather than chasing noise.

Long-Term Protection Against RTOS and Memory Safety Vulnerabilities

URGENT/11 represents a broader pattern: memory safety vulnerabilities in embedded systems will continue to emerge. Reactive patching alone cannot keep pace, especially for devices with 10-20 year lifecycles. By the time a patch is available, tested, and deployed, new vulnerabilities have already been discovered.

Automated code hardening reduces exploitability across entire vulnerability classes, not just individual CVEs. Combined with continuous SBOM generation and vulnerability tracking, this approach supports both security operations and regulatory compliance requirements that increasingly demand visibility into software components.

Ready to assess your exposure? Request a consultation to evaluate your exposure to URGENT/11 and identify opportunities to reduce risk.