CVE-2025-9041 is a high-severity vulnerability (CVSS 8.7) affecting Rockwell Automation's FLEX 5000 I/O modules, specifically versions 2.011 or below. The flaw arises from improper validation of CIP Class 32 requests when a module is inhibited on the 5094-IF8 device. CIP (Common Industrial Protocol) Class 32 is used for I/O messaging in industrial control systems. When a specially crafted request is sent to an inhibited module, it causes the module to enter a fault state indicated by a flashing red Module LED. Upon removing the inhibit condition, the module returns a connection fault (Code 16#0010) and cannot recover without a power cycle. This results in a denial-of-service condition where the module becomes non-functional until manually reset. The vulnerability does not require authentication, user interaction, or privileges to exploit, and can be triggered remotely over the network. The improper input validation (CWE-1287) leads to a persistent fault state impacting the availability of the affected module. No known exploits are currently in the wild, and no patches have been published yet. The vulnerability affects critical industrial control hardware used in automation environments, making it a significant risk for operational continuity.

For European organizations, especially those in manufacturing, utilities, and critical infrastructure sectors relying on Rockwell Automation FLEX 5000 I/O modules, this vulnerability poses a substantial operational risk. Exploitation can cause denial of service by forcing modules into a fault state requiring manual power cycling, potentially halting production lines or disrupting control processes. The lack of recovery without physical intervention increases downtime and maintenance costs. Given the widespread use of Rockwell Automation products in European industrial environments, this vulnerability could lead to significant operational disruptions, safety risks, and financial losses. Additionally, attackers could leverage this vulnerability as part of a broader attack chain to degrade industrial control system reliability or cause cascading failures in critical infrastructure.

Organizations should immediately identify and inventory all FLEX 5000 I/O modules running version 2.011 or below, prioritizing those with the 5094-IF8 device. Until a patch is available, implement network segmentation and strict access controls to limit exposure of these devices to untrusted networks. Employ industrial firewall rules to block unauthorized CIP Class 32 requests, especially those targeting inhibited modules. Monitor network traffic for anomalous CIP messages and implement intrusion detection systems tailored for industrial protocols. Establish procedures for rapid manual power cycling to recover modules if faults occur. Engage with Rockwell Automation for updates on patches or firmware upgrades and plan for timely deployment once available. Additionally, review and harden operational procedures to minimize the use of module inhibition unless necessary, reducing the attack surface. Conduct staff training to recognize and respond to module fault states promptly.