Loading

FLEX 5000 I/O - Module Fault

Severity:
High
Advisory ID:
SD1737
公開日:
August 14, 2025
最終更新日:
August 14, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
はい
Workaround:
いいえ
CVE IDs
CVE-2025-9041,
CVE-2025-9042
ダウンロード
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
概要
FLEX 5000 I/O - Module Fault When Requesting CIP Class 32 Object

Published Date: 8/14/2025 

Last Updated: 8/14/2025 
Revision Number: 1.0 
CVSS Score: See below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

CVE

 

 

 

 

First Known in Firmware Version

 

 

 

 

Corrected in Firmware Version

 

 

 

 

 5094-IF8

 

 

 

 

CVE-2025-9041

 

 

 

 

 

 

 

 

 

 

V2.011

 

 

 

 

V2.012 and later

 

 

 

 

5094-IY8

 

 

 

 

CVE-2025-9042

 

 

 

 

V2.011

 

 

 

 

V2.012 and later

 

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-9041 

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2025-9042

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IY8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-1287: Improper Validation of Specified Type of Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds  
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied. 

  •         Security Best Practices 

 

Glossary:

  • CIP: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

  • Module: A self-contained unit within a system that performs a specific function and can operate independently or as part of a larger system

  • Inhibited: Temporarily disabled or prevented from operating.

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left ロックウェル・オートメーションのホーム Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust & Security Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
を続行するには、クッキーの設定を更新してください.
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • ソーシャルメディア・クッキー
  • 機能性クッキー
  • パフォーマンスクッキー
  • マーケティングクッキー
  • 全てのクッキー
いつでも設定を更新することができます。詳しくは{0}をご覧ください プライバシーポリシー
CloseClose