CVE-2025-9042
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: Rockwell Automation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rockwell_automation | flex_5000_io_modules | 2.011 |
| rockwell_automation | flex_5000_io_modules | 2.012 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the 5094-IY8 device improperly handles CIP Class 32 requests when a module is inhibited. This causes the module to enter a fault state indicated by a flashing red Module LED. When the module is uninhibited, it returns a connection fault (Code 16#0010) and cannot recover without a power cycle.
How can this vulnerability impact me? :
The impact of this vulnerability is that the affected module enters a fault state and cannot recover automatically, requiring a manual power cycle to restore functionality. This can lead to downtime and disruption in operations relying on the 5094-IY8 device.
What immediate steps should I take to mitigate this vulnerability?
Based on the description, the immediate step to mitigate this vulnerability is to perform a power cycle on the affected 5094-IY8 module after it enters a fault state due to improper handling of CIP Class 32's request when inhibited. This will allow the module to recover from the connection fault (Code 16#0010).