CVE-2025-9166 is a high-severity denial-of-service (DoS) vulnerability affecting Rockwell Automation's ControlLogix® 5580 controller, specifically version 35.013. The root cause is a NULL pointer dereference (CWE-476) triggered when the controller repeatedly attempts to forward messages. This flaw leads to a major nonrecoverable fault, effectively causing the controller to crash or become unresponsive. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network (Attack Vector: Network). The CVSS 4.0 base score is 8.2, reflecting the ease of exploitation combined with the significant impact on availability. The issue stems from improper handling of message forwarding logic, which results in the controller dereferencing a NULL pointer, causing a system fault. Since the controller is a critical component in industrial control systems (ICS) used for automation and process control, such a fault can halt industrial operations. No known exploits are currently in the wild, and no patches have been released yet. The vulnerability was reserved in August 2025 and published in September 2025, indicating recent discovery and disclosure.

For European organizations, especially those in manufacturing, energy, utilities, and critical infrastructure sectors relying on Rockwell Automation ControlLogix® 5580 controllers, this vulnerability poses a significant risk. Exploitation can lead to denial of service, causing operational downtime, disruption of industrial processes, and potential safety hazards. The nonrecoverable fault means the controller may require manual intervention or replacement, increasing downtime and maintenance costs. Given the critical role of these controllers in automation, the impact extends beyond IT to operational technology (OT) environments, potentially affecting supply chains and service delivery. Disruptions in sectors like power generation, water treatment, and manufacturing could have cascading effects on the European economy and public safety. The lack of authentication requirement and network-based exploitability increase the threat surface, especially in environments where these controllers are accessible from less secure networks or insufficiently segmented OT networks.

1. Immediate network segmentation: Isolate ControlLogix® 5580 controllers from general IT networks and restrict access to trusted management stations only. 2. Implement strict firewall rules and access control lists (ACLs) to limit inbound traffic to the controllers, allowing only necessary protocols and IP addresses. 3. Monitor network traffic for unusual message forwarding patterns that could indicate exploitation attempts. 4. Apply compensating controls such as intrusion detection/prevention systems (IDS/IPS) tuned for ICS protocols to detect anomalies. 5. Coordinate with Rockwell Automation for timely patch releases and apply updates as soon as they become available. 6. Conduct thorough inventory and asset management to identify all affected controllers running version 35.013. 7. Develop and test incident response plans specific to ICS DoS events to minimize downtime. 8. Where possible, implement redundant controllers or failover mechanisms to maintain operational continuity during faults. 9. Restrict physical access to controllers to prevent local exploitation or tampering. 10. Engage with ICS cybersecurity specialists to perform vulnerability assessments and penetration testing focused on this vulnerability.