CVE-2025-9042 is a high-severity vulnerability affecting Rockwell Automation's FLEX 5000 I/O modules, specifically versions 2.011 or below. The issue stems from improper validation and handling of CIP Class 32 requests when a module is inhibited on the 5094-IY8 device. CIP (Common Industrial Protocol) Class 32 is used for communication in industrial control systems. When the module is inhibited and receives a certain request, it enters a fault state indicated by a flashing red Module LED. Upon un-inhibiting, the module returns a connection fault (Code 16#0010) and cannot recover without a power cycle. This behavior indicates a denial-of-service condition where the module becomes non-functional until manually reset. The vulnerability does not require authentication, user interaction, or privileges to exploit, and can be triggered remotely over the network. The CVSS 4.0 base score of 8.7 reflects its high impact on availability (denial of service) with low attack complexity and no required privileges. The root cause is improper input validation (CWE-1287), which leads to the module entering an unrecoverable fault state. No known exploits are currently in the wild, and no patches have been published yet. This vulnerability affects critical industrial control hardware used in automation environments, potentially disrupting operational technology (OT) processes.

For European organizations, especially those operating in manufacturing, utilities, and critical infrastructure sectors, this vulnerability poses a significant risk to operational continuity. The FLEX 5000 I/O modules are integral to industrial automation systems, and a denial-of-service condition can halt production lines, disrupt process control, and cause safety system failures. The inability of the module to recover without a power cycle means that remote recovery is impossible, potentially requiring physical intervention that could delay restoration. This can lead to financial losses, safety hazards, and regulatory compliance issues under frameworks like NIS2 and GDPR if personal data or critical services are impacted. Additionally, the lack of authentication and ease of exploitation means that threat actors could leverage this vulnerability to cause widespread disruption in industrial environments across Europe.

1. Immediate mitigation should include network segmentation and strict access controls to limit exposure of FLEX 5000 I/O modules to untrusted networks. 2. Implement firewall rules to block unauthorized CIP Class 32 traffic from reaching the 5094-IY8 devices. 3. Monitor network traffic for unusual CIP requests that could trigger the fault state. 4. Establish physical access controls and rapid response procedures to power cycle affected modules if a fault occurs. 5. Coordinate with Rockwell Automation for timely release and deployment of patches or firmware updates addressing this vulnerability. 6. Conduct thorough inventory and risk assessments of all FLEX 5000 I/O modules in use to prioritize remediation efforts. 7. Consider deploying intrusion detection systems specialized for industrial protocols to detect exploitation attempts. 8. Train OT personnel on recognizing symptoms of this fault and on incident response protocols to minimize downtime.