CVE-2025-9464 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting Rockwell Automation's ArmorStart® LT product, specifically versions 2.002 and below. The vulnerability arises when multiple CIP classes are fuzzed, causing the CIP port to become unresponsive and leading to a denial-of-service condition. CIP is a widely used industrial protocol in automation systems, and ArmorStart® LT is a component used to manage motor starting and control in industrial environments. The flaw does not require any authentication, user interaction, or privileges, and can be exploited remotely over the network, making it highly accessible to attackers. The vulnerability was reserved in August 2025 and published in January 2026 with a CVSS 4.0 base score of 8.7, indicating a high severity level primarily due to its impact on availability and ease of exploitation. No patches or known exploits are currently available, but the risk remains significant given the critical role of ArmorStart® LT in industrial control systems. The vulnerability could be triggered by sending malformed or fuzzed CIP messages that overwhelm the device’s resources, causing the CIP port to stop responding and effectively denying service to legitimate control commands. This could disrupt industrial processes, leading to production downtime or safety risks in automated environments.

The primary impact of CVE-2025-9464 is a denial-of-service condition that affects the availability of ArmorStart® LT devices. For European organizations, especially those in manufacturing, energy, utilities, and critical infrastructure sectors that rely on Rockwell Automation products, this could result in operational disruptions, production halts, and potential safety hazards. The inability to communicate with the CIP port may prevent proper motor control and automation functions, leading to cascading failures in industrial processes. Given the vulnerability requires no authentication or user interaction, attackers could remotely trigger the DoS condition, increasing the risk of targeted attacks or accidental disruptions. The economic impact could be substantial due to downtime and potential damage to equipment or processes. Additionally, organizations may face regulatory and compliance challenges if critical infrastructure availability is compromised. The lack of known exploits currently reduces immediate risk, but the high severity score and ease of exploitation warrant proactive measures.

1. Network Segmentation: Isolate ArmorStart® LT devices on dedicated network segments with strict access controls to limit exposure to untrusted networks. 2. Access Control: Restrict access to CIP ports using firewalls or industrial protocol-aware intrusion prevention systems to allow only trusted management stations or controllers. 3. Traffic Monitoring: Implement continuous monitoring of CIP traffic for anomalous patterns or fuzzing attempts that could indicate exploitation attempts. 4. Vendor Coordination: Engage with Rockwell Automation for updates and patches; apply security patches promptly once released. 5. Incident Response Planning: Develop and test response plans for DoS scenarios affecting industrial control devices to minimize downtime. 6. Device Hardening: Disable unused CIP classes or services on ArmorStart® LT devices to reduce the attack surface. 7. Network Anomaly Detection: Deploy specialized industrial network anomaly detection tools to identify unusual CIP traffic that could precede exploitation. These measures go beyond generic advice by focusing on network-level controls and proactive monitoring tailored to industrial protocols and environments.