Rockwell Automation FLEX I/O EtherNet/IP Adapters (CVE-2026-0646, CVE-2026-0647)

What Happened

Two security flaws have been discovered in Rockwell Automation FLEX I/O EtherNet/IP Adapters, which are devices used in manufacturing and industrial control systems. The most severe flaw allows an attacker to change the device's password and take over the system without needing to log in. The second flaw allows an attacker to crash the device, requiring a manual restart. These vulnerabilities could lead to unauthorized access and disruption of industrial operations. Organizations using these devices should immediately update them to version 2.013 and ensure they are not directly exposed to the internet.

Key Takeaways

• Two vulnerabilities (CVE-2026-0646, CVE-2026-0647) affect Rockwell Automation FLEX I/O EtherNet/IP Adapters version 2.012.
• CVE-2026-0647 (CVSS 9.4) allows unauthenticated attackers to change the device's web interface password via a crafted HTTP GET request.
• CVE-2026-0646 (CVSS 7.5) allows attackers to cause a Denial-of-Service (DoS) condition via improper memory handling of CIP protocol requests.
• Rockwell Automation recommends updating affected devices to version 2.013 to mitigate both issues.

Affected Systems

• Rockwell Automation 1794-AENTR V2.012
• Rockwell Automation 1794-AENTRXT V2.012

Vulnerabilities (CVEs)

• CVE-2026-0646
• CVE-2026-0647

Attack Chain

An unauthenticated attacker targets a vulnerable Rockwell Automation FLEX I/O EtherNet/IP Adapter. For CVE-2026-0647, the attacker sends a crafted HTTP GET request to a specific endpoint on the embedded web server to change the administrator password, gaining unauthorized access. Alternatively, for CVE-2026-0646, the attacker sends malformed CIP protocol requests, causing improper memory handling that faults the adapter and drops connections to associated I/O modules.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on embedded ICS/OT devices like Rockwell Automation adapters. Network Visibility: High — The attacks rely on network traffic (HTTP GET requests and CIP protocol requests) which can be monitored by OT-aware network intrusion detection systems (NIDS). Detection Difficulty: Moderate — Detecting anomalous HTTP GET requests to password-change endpoints or malformed CIP traffic requires deep packet inspection and baseline profiling of OT network traffic.

Required Log Sources

• Network Traffic Logs
• Web Server Access Logs (if forwarded)

Hunting Hypotheses

Control Gaps

• Lack of OT network segmentation
• Direct internet exposure of ICS devices

Key Behavioral Indicators

• Unexpected HTTP GET requests to embedded web servers on ICS devices
• Adapter fault events or unexpected loss of connection to I/O modules

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Update Rockwell Automation 1794-AENTR and 1794-AENTRXT adapters to version 2.013.
• Ensure affected devices are not accessible from the internet.

Infrastructure Hardening

• Locate control system networks and remote devices behind firewalls, isolating them from business networks.
• Implement secure remote access methods such as updated VPNs for any required remote connectivity to ICS networks.

User Protection

• N/A

Security Awareness

• Ensure OT operators are aware of the risks of exposing ICS devices to untrusted networks.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1498 - Network Denial of Service
• T1078 - Valid Accounts