Rockwell Automation FLEX 5000 I/O (Update A)

Plan Patch7.5ICS-CERT ICSA-25-226-26Aug 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Rockwell Automation FLEX 5000 I/O modules 5094-IF8 and 5094-IY8 (version V2.011) that could be triggered remotely without authentication. Successful exploitation causes the I/O modules to become unresponsive, interrupting input and output signal processing in the control system. Rockwell Automation has released firmware version V2.012 or later to correct this issue.

What this means

What could happen

An attacker could cause a denial-of-service condition on the FLEX 5000 I/O modules, potentially stopping input/output operations and halting dependent processes in the control system.

Who's at risk

Water utilities and municipal electric utilities operating Rockwell Automation FLEX 5000 I/O modules (5094-IF8 and 5094-IY8) for analog input and discrete output operations. Any facility using these modules in critical process control loops is at risk of operational disruption.

How it could be exploited

An attacker with network access to the vulnerable FLEX 5000 I/O modules could send a specially crafted packet or request that triggers a denial-of-service condition, causing the modules to become unresponsive and stop processing I/O signals.

Prerequisites

Network access to the FLEX 5000 I/O module on the control network
No authentication required

Remotely exploitableNo authentication requiredLow complexityNo patch currently available for affected versionsAffects input/output modules critical to process control

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

5094-IF8: V2.011V2.011V2.012 or later

5094-IY8: V2.011V2.011V2.012 or later

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict network access to FLEX 5000 I/O modules using firewall rules; do not expose them to the internet or business networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FLEX 5000 I/O modules (5094-IF8 and 5094-IY8) to firmware version V2.012 or later

Long-term hardening

0/3

HARDENINGIsolate control system networks containing FLEX 5000 I/O modules behind firewalls and segment them from business networks

HARDENINGIf remote access is required, use VPN with current security patches; ensure VPN-connected devices are also kept current

HARDENINGFollow Rockwell Automation's published Security Best Practices

CVEs (2)

CVE-2025-9041 CVE-2025-9042

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/99888daa-b862-4a3d-b0b1-6f614adfb1ab