Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: See below
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
CVE
|
First Known in Firmware Version
|
Corrected in Firmware Version
|
5094-IF8
|
CVE-2025-9041
|
V2.011
|
V2.012 and later
|
5094-IY8
|
CVE-2025-9042
|
V2.011
|
V2.012 and later
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-9041
A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-9042
A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IY8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1287: Improper Validation of Specified Type of Input
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
CIP: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology
Module: A self-contained unit within a system that performs a specific function and can operate independently or as part of a larger system
Inhibited: Temporarily disabled or prevented from operating.
