Rockwell Automation FLEX 5000 I/O (Update A)

Plan PatchCVSS 7.5ICS-CERT ICSA-25-226-26Aug 14, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FLEX 5000 I/O modules 5094-IF8 and 5094-IY8 contain an input validation flaw (CWE-20) that allows remote attackers to send malformed input or commands, triggering a denial-of-service condition. Affected modules become unresponsive and unable to process inputs or outputs until restarted. All versions of the generic FLEX 5000 I/O product line are affected and will not receive a patch.

What this means

What could happen

An attacker could cause a denial-of-service condition on affected I/O modules, interrupting their ability to read inputs or control outputs until the device is rebooted, potentially halting process operations that depend on these modules.

Who's at risk

Water and utility operations using Rockwell Automation FLEX 5000 I/O modules (specifically 5094-IF8 and 5094-IY8 models) for analog or digital input/output control. Any facility relying on these modules for critical process monitoring or control is affected.

How it could be exploited

An attacker with network access to the affected I/O module could send a malformed input or command that triggers the vulnerability, causing the module to become unresponsive and stop processing I/O operations.

Prerequisites

Network access to the affected I/O module on port 502 (EtherNet/IP) or the module's management interface
No authentication required

remotely exploitableno authentication requiredlow complexitydenial of service to physical I/OFLEX 5000 I/O has no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

2 with fix1 EOL

ProductAffected VersionsFix Status

5094-IF8: V2.011V2.011V2.012+

5094-IY8: V2.011V2.011V2.012+

FLEX 5000 I/OAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the I/O modules by placing them behind a firewall and blocking inbound traffic from untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate 5094-IF8 modules to firmware version V2.012 or later

HOTFIXUpdate 5094-IY8 modules to firmware version V2.012 or later

Mitigations - no patch available

0/1

FLEX 5000 I/O has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the FLEX 5000 I/O control system network from business networks using a physical or logical air gap

CVEs (2)

CVE-2025-9041 CVE-2025-9042

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/99888daa-b862-4a3d-b0b1-6f614adfb1ab

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.