CVE-2025-9466 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting Rockwell Automation's ArmorStart® LT product, specifically versions V2.002 and earlier. The flaw manifests during the execution of Achilles EtherNet/IP and CIP grammar tests, which are standard protocol conformance tests for industrial communication. When these tests are run, the device unexpectedly reboots, causing a temporary denial-of-service (DoS) condition by bringing down the Link State Monitor for several seconds. The Link State Monitor is critical for maintaining network communication status and device availability in industrial control systems. The vulnerability can be triggered remotely without any authentication or user interaction, making it highly exploitable over the network. The CVSS 4.0 base score is 8.7, reflecting high severity due to the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability. Although no public exploits are currently known, the vulnerability poses a significant risk to operational continuity in environments using ArmorStart® LT devices. The lack of available patches at the time of publication necessitates immediate mitigation through network controls and monitoring. This vulnerability highlights the risks inherent in industrial control system components that handle protocol testing and communication monitoring, where resource exhaustion can lead to critical service interruptions.

The primary impact of CVE-2025-9466 is on the availability of industrial control systems using ArmorStart® LT devices. The unexpected reboot during protocol tests causes the Link State Monitor to go offline temporarily, disrupting network communication and potentially halting automated processes. For European organizations, especially those in manufacturing, energy, utilities, and critical infrastructure sectors, this can lead to operational downtime, production losses, and safety risks. The transient denial-of-service may also complicate incident response and recovery efforts. Since the vulnerability can be exploited remotely without authentication, attackers could leverage it to cause repeated disruptions or as part of a larger attack chain targeting industrial environments. The lack of known exploits currently reduces immediate risk but does not eliminate the potential for future exploitation. The impact is heightened in environments where ArmorStart® LT devices are integral to network health monitoring and control system stability.

1. Implement strict network segmentation to isolate ArmorStart® LT devices from general IT networks and limit exposure to untrusted networks. 2. Deploy intrusion detection and prevention systems (IDS/IPS) with signatures or anomaly detection tuned to identify unusual EtherNet/IP and CIP traffic patterns, especially related to Achilles protocol tests. 3. Restrict access to the devices by enforcing firewall rules that only allow trusted management and monitoring hosts to communicate with ArmorStart® LT devices. 4. Monitor device logs and network traffic for unexpected reboots or Link State Monitor downtime to detect potential exploitation attempts early. 5. Coordinate with Rockwell Automation for timely patch deployment once available; maintain close vendor communication for updates or workarounds. 6. Conduct regular security assessments and penetration tests focusing on industrial protocol handling and resource consumption vulnerabilities. 7. Train operational technology (OT) staff to recognize symptoms of this vulnerability exploitation and respond appropriately. 8. Consider deploying redundant monitoring systems to maintain network visibility during transient device outages.