Critical Vulnerabilities in Rockwell Automation FLEX I/O EtherNet/IP Adapters: CVE-2026-0646 and CVE-2026-0647
Executive Summary
In June 2026, Rockwell Automation disclosed two critical vulnerabilities affecting their FLEX I/O EtherNet/IP Adapters, specifically models 1794-AENTR and 1794-AENTRXT version 2.012. The first vulnerability (CVE-2026-0646) involves improper memory handling of CIP protocol requests, leading to a denial-of-service condition that requires a manual reset. The second vulnerability (CVE-2026-0647) allows unauthenticated attackers to change the device's web interface password via a crafted HTTP GET request, potentially resulting in unauthorized access and account takeover. (netstorage.rockwellautomation.com)
These vulnerabilities are particularly concerning for critical manufacturing sectors, as exploitation could disrupt industrial operations and compromise system integrity. The increasing connectivity of industrial control systems heightens the risk of such vulnerabilities being exploited, emphasizing the need for timely updates and robust security measures.
Why This Matters Now
The disclosure of these vulnerabilities underscores the urgent need for organizations in the critical manufacturing sector to assess and update their industrial control systems. With the rise in cyber threats targeting operational technology, ensuring the security of such systems is paramount to prevent potential disruptions and unauthorized access.
Attack Path Analysis
An attacker exploited a memory handling vulnerability in the Rockwell Automation FLEX I/O EtherNet/IP Adapter's CIP protocol, causing a denial-of-service condition. Subsequently, the attacker leveraged improper authentication in the device's web server to change the web interface password, gaining unauthorized access. With control over the device, the attacker moved laterally within the network to compromise additional systems. The attacker established a command and control channel to maintain persistent access and control over the compromised devices. Sensitive data was exfiltrated from the industrial control systems to an external server. Finally, the attacker caused a loss of control over the industrial processes, leading to operational disruption.
Kill Chain Progression
Initial Compromise
Description
Exploited a memory handling vulnerability in the CIP protocol to cause a denial-of-service condition.
Related CVEs
CVE-2026-0646
CVSS 8.7A denial-of-service vulnerability in Rockwell Automation FLEX I/O EtherNet/IP Adapters due to improper memory handling of CIP protocol requests, leading to device fault and loss of connection to I/O modules.
Affected Products:
Rockwell Automation 1794-AENTR – V2.012
Rockwell Automation 1794-AENTRXT – V2.012
Exploit Status:
no public exploitCVE-2026-0647
CVSS 8.8An improper authentication vulnerability in Rockwell Automation FLEX I/O EtherNet/IP Adapters' embedded web server allows unauthenticated attackers to change the device's web interface password via crafted HTTP GET requests.
Affected Products:
Rockwell Automation 1794-AENTR – V2.012
Rockwell Automation 1794-AENTRXT – V2.012
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Denial of Service
Denial of Control
Denial of View
Unauthorized Command Message
Loss of Control
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Boundary Protection
Control ID: SC-7
PCI DSS 4.0 – Security Vulnerabilities Management
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical vulnerability in Rockwell FLEX I/O EtherNet/IP adapters enables unauthorized access and denial-of-service attacks on manufacturing control systems worldwide.
Automotive
Manufacturing facilities using affected Rockwell automation adapters face production disruption risks from memory handling flaws and authentication bypass vulnerabilities.
Oil/Energy/Solar/Greentech
Energy infrastructure utilizing vulnerable EtherNet/IP adapters exposed to remote attacks causing I/O module disconnection and requiring manual recovery procedures.
Utilities
Power generation and distribution systems using Rockwell FLEX I/O adapters vulnerable to unauthenticated web interface takeover and operational availability loss.
Sources
- Rockwell Automation FLEX I/O EtherNet/IP Adaptershttps://www.cisa.gov/news-events/ics-advisories/icsa-26-167-05Verified
- Rockwell Automation Security Advisory SD1775https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1775.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is relevant to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the vulnerability may have been constrained, potentially reducing the likelihood of a successful denial-of-service condition.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, potentially reducing unauthorized access to critical systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may have been constrained, potentially reducing the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been constrained, potentially reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, potentially reducing data loss.
The attacker's ability to disrupt industrial processes may have been constrained, potentially reducing operational impact.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems Operations
- Manufacturing Process Control
Estimated downtime: 2 days
Estimated loss: $50,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce strong authentication mechanisms to prevent unauthorized access.
- • Deploy Intrusion Prevention Systems (IPS) to detect and block exploitation attempts.
- • Establish comprehensive monitoring to detect and respond to command and control activities.
- • Regularly update and patch systems to mitigate known vulnerabilities.
