{
"title": "CISA Flags Remotely Exploitable DoS Flaws in Rockwell FLEX 5000 Analog I/O Modules",
"content": "Rockwell Automation’s widely deployed FLEX 5000 analog input modules contain two critical denial-of-service (DoS) vulnerabilities that can be triggered by remote, unauthenticated attackers, causing the devices to become permanently unresponsive until physically power-cycled. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Advisory ICSA-25-226-26 on August 14, 2025, detailing the flaws and urging immediate firmware updates. With a CVSS v4 base score of 8.7, the vulnerabilities—tracked as CVE-2025-9041 (affecting the 5094-IF8 module) and CVE-2025-9042 (affecting the 5094-IY8 module)—stem from improper input validation when handling CIP Class 32 requests while the module is in an inhibited state.
The advisory underscores a persistent challenge in industrial control systems (ICS): even without code execution, protocol-level malformed traffic can wreak operational havoc, especially when recovery demands a manual power cycle on the plant floor.
Background on FLEX 5000 and Industrial I/O
Rockwell’s FLEX 5000 (Bulletin 5094) family is a line of rugged, modular I/O devices designed to extend the capabilities of CompactLogix and ControlLogix controllers. They are deployed globally across critical infrastructure sectors—manufacturing, energy, water treatment, food and agriculture, and transportation—where reliable analog and digital signal processing is non-negotiable. The affected modules, 5094-IF8 (8-channel analog input) and 5094-IY8 (8-channel universal analog input), handle vital process variables like temperature, pressure, and flow. A DoS condition on any of these channels can halt production sequences, trip safety interlocks, or force operational shutdowns.
CISA Advisory Details
The CISA advisory is unequivocal: when either module runs firmware V2.011 and is placed in an inhibited state, a specially crafted CIP (Common Industrial Protocol) Class 32 request can force an unrecoverable fault. Symptoms include the Module LED flashing red, and upon un-inhibiting, the controller logs a connection fault Code 16#0010—a diagnostic pointing to point-bus or I/O connection issues. The device will not resume normal operation without a complete power cycle. The attack vector is remote, requires no authentication, and has low complexity (AV:N/AC:L/AT:N/PR:N/UI:N in CVSS v4). Although no public exploits have been reported, the ease of exploitation makes it a high-priority risk.
Vulnerability Summary Table
| CVE ID | Affected Product | Firmware Version | CVSS v3 Score | CVSS v4 Score | Impact |
|---|---|---|---|---|---|
| CVE-2025-9041 | 5094-IF8 | V2.011 | 7.5 | 8.7 | DoS, unrecoverable without power cycle |
| CVE-2025-9042 | 5094-IY8 | V2.011 | 7.5 | 8.7 | DoS, unrecoverable without power cycle |
Technical Deep Dive: The CIP Class 32 Attack Vector
CIP is the object-oriented application protocol underlying EtherNet/IP, the industrial network standard. Devices expose objects (Identity, Assembly, Connection, etc.) and classes that can be read or written via explicit messaging. CIP Class 32 is associated with certain module-specific objects—details often vendor-defined but commonly linked to identity or diagnostic data. The inhibit state is a controlled mode where the module’s normal I/O operations are suspended, typically for maintenance or configuration. According to CISA, when a 5094-IF8 or 5094-IY8 in this state receives a malformed or out-of-sequence Class 32 request, insufficient input validation allows the request to corrupt the device’s internal state, triggering an irretrievable fault.
In practical terms, an attacker who can send EtherNet/IP traffic to the module—whether because of internet-exposed devices, poor network segmentation, or a compromised IT asset—can repeat the attack every time the module is inhibited again. This creates a sustained DoS that physical intervention alone can break.
Operational Impact: Why a Power-Cycle DoS Hurts
For industries where uptime is measured in dollars per minute, a vulnerability that mandates a physical power cycle is especially damaging. Analog input modules feed control logic for temperature regulation, pressure safety, flow control, and level monitoring. A failure on any channel might not just halt production; it could trigger protective interlock trips, leading to broader shutdowns. Recovery requires dispatching a technician, potentially halting the line, and manually cycling power—a process that could take minutes to hours depending on site procedures. In continuous processes, the cascading effects can ripple through entire facilities.
The CVSS v4 score of 8.7 reflects this high availability impact. Unlike many ICS vulnerabilities that only affect integrity or confidentiality, these flaws directly compromise safety and production continuity without any authentication barrier.
Mitigation: Firmware Update and Network Hardening
Rockwell’s primary remediation is firmware version V2.012 for the affected modules. The update, available through the Rockwell Automation Support and Download Center, replaces the flawed input-validation logic. CISA and Rockwell also strongly recommend layered defenses:
- Network segmentation: Isolate OT networks behind firewalls and enforce strict access control lists (ACLs) so that only authorized engineering workstations can communicate with I/O modules. Under no circumstances should control system devices be reachable from the internet.
- Secure remote access: If remote access is necessary, use VPNs with multi-factor authentication, hardened jump hosts, and always keep VPN software patched. Understand that VPNs themselves expand the attack surface.
- Defense-in-depth: Deploy ICS-aware intrusion detection systems (IDS) that can inspect CIP traffic, set alerts on anomalous explicit messaging (especially Class 32 requests), and log connection fault events like 16#0010.
- Rockwell Security Best Practices: Follow vendor guidelines for secure module configuration, user authentication, and change management. Rockwell publishes a comprehensive security handbook for its automation ecosystem.
Patching Strategy and Step-by-Step Guidance
Industrial operators should treat this as a high-priority, time-sensitive action and follow a staged deployment:
- Inventory: Use asset management tools, network scans (with caution), and controller logs to identify every 5094-IF8 and 5094-IY8 module in the environment. Confirm firmware by reading module properties in Studio 5000 Logix Designer or via CIP messaging. Flag all devices reporting V2.011.
- Lab validation: Download firmware V2.012 from Rockwell’s portal and set up a testbed that mirrors your production hardware—identical module part numbers, controller firmware, and backplane configuration. Flash the firmware and run regression tests: verify analog input readings, calibration, diagnostics, and inhibit/un-inhibit behavior. Ensure no adverse interactions with installed HMI or SCADA templates.
- Maintenance window planning: Coordinate with process owners and schedule downtime for each production line or unit. Since flashing firmware will take the module offline, have a rollback plan and spare modules available. In many sites, a brief process interruption is acceptable only during pre-approved windows.
- Staged rollout: Start with non-critical process areas or a single module to validate the update in a live environment. Monitor for any unexpected connection faults or LED anomalies for at least 24 hours before updating the next batch.
- Post-update verification: After upgrading all targeted modules, audit firmware versions again to confirm none were missed. Keep V2.011 firmware files shelved only for emergency rollback, but the goal should be full adoption of V2.012.
- Long-term governance: Subscribe to Rockwell’s security advisory RSS feed and integrate firmware tracking into your change management system. Periodic architecture reviews should ensure network segmentation remains intact and no new exposure points have appeared.
Detection and Incident Response
The advisory gives defenders actionable indicators of compromise:
- Module LED flashing red on a 5094-IF8 or 5094-IY8. This is a clear hardware fault signal.
- Connection fault Code 16#0010 reported in controller diagnostics after un-inhibiting the module. These errors fall into the range documented in Rockwell’s module-fault manuals as point-bus or connection-related.
- Configure monitoring systems (SCADA, Historian, SNMP traps) to alarm on these conditions specifically for the affected catalog numbers.
- Deploy network security monitoring tools with deep packet inspection for EtherNet/IP. Create detection rules for CIP explicit messaging (UDP/TCP port 44818) directed to inhibited modules. Look for repeated or malformed Class 32 requests.
- If a suspected attack is detected, follow incident response procedures. Initially, a power cycle will restore service, but the attacker may repeat the exploit. The only permanent fix is the firmware update. Ensure that any power cycle is performed safely and in coordination with operations, considering process interlocks.
The CVE Confusion: A Note on Inconsistent Mapping
In the hours following the advisory, some public vulnerability databases and secondary reports mistakenly associated these flaws with CVE-2025-7861 and CVE-2025-7862, and product numbers like 5069-IF8/5069-IY8. This is a typical artifact of asynchronous updates across CNAF, NVD, and aggregator pipelines. The authoritative source is CISA’s ICS Advisory ICSA-25-226-26, which clearly states CVE-2025-9041/9042 and 5094-IF8/5094-IY8. When communicating internally, always cross-reference the advisory ID to avoid patching the wrong device or missing the true scope.
A Recurring Industrial Security Lesson
The FLEX 5000 DoS vulnerabilities belong to a class of threats that continues to plague OT environments: low-complexity, remotely triggered availability loss that