CVE-2025-9160 is a high-severity vulnerability affecting Rockwell Automation's CompactLogix® 5480 controllers, specifically versions 32 through 37.011 with the Windows package (2.1.0) on Windows 10 version 1607. The vulnerability is categorized under CWE-306, which denotes 'Missing Authentication for Critical Function.' This means that certain critical functions within the device's maintenance menu lack proper authentication controls. An attacker with physical access to the device can exploit this flaw by crafting a malicious payload and injecting it through the maintenance menu, leading to arbitrary code execution on the controller. The CVSS 4.0 vector indicates that the attack requires physical access (AV:P), has low attack complexity (AC:L), requires no privileges (PR:N), no user interaction (UI:N), and results in high confidentiality, integrity, and availability impacts (VC:H, VI:H, VA:H). The scope is unchanged (S:U), and there are no security requirements (SC:N, SI:N, SA:N). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the critical nature of the affected industrial control system (ICS) device. The CompactLogix® 5480 is widely used in industrial automation environments for controlling manufacturing processes, making this vulnerability particularly concerning for operational technology (OT) security. The lack of authentication on critical functions means that an attacker who gains physical access can bypass security controls and execute arbitrary code, potentially disrupting industrial operations or causing safety hazards.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors, this vulnerability could have severe consequences. The CompactLogix® 5480 controllers are integral to automation and control systems, and arbitrary code execution could lead to unauthorized manipulation of industrial processes, resulting in production downtime, equipment damage, safety incidents, or data breaches. Given the physical access requirement, the threat is more relevant to environments where devices are accessible to personnel or visitors without strict physical security controls. The high impact on confidentiality, integrity, and availability means that exploitation could compromise sensitive operational data, alter control logic, or cause system outages. This could disrupt supply chains, cause financial losses, and potentially endanger human safety. Additionally, regulatory compliance frameworks in Europe, such as NIS2 and GDPR, may impose reporting and remediation obligations if such vulnerabilities are exploited, increasing the operational and legal risks for affected organizations.

To mitigate this vulnerability, European organizations should implement strict physical security controls to prevent unauthorized access to CompactLogix® 5480 controllers, including locked cabinets, surveillance, and access logging. Network segmentation should be enforced to isolate ICS devices from general IT networks, reducing the risk of remote exploitation. Organizations should monitor for unusual activity on maintenance interfaces and restrict maintenance operations to authorized personnel only. Since no patch is currently available, consider deploying compensating controls such as disabling or restricting access to the maintenance menu where feasible. Conduct regular security audits and penetration tests focusing on physical and logical access controls for ICS devices. Additionally, maintain an inventory of affected devices and prepare for rapid patch deployment once Rockwell Automation releases an official fix. Employee training on physical security and insider threat awareness is also critical to reduce the risk of malicious or accidental exploitation.