CVE-2026-0647

Vulnerability

An improper authentication vulnerability exists in the embedded web server of Rockwell Automation 1794-AENTR and 1794-AENTRXT FLEX I/O EtherNet/IP adapters running firmware version 2.012. The bug allows an unauthenticated attacker to change the device's web interface password by sending a specially crafted HTTP GET request to a specific endpoint, without requiring prior authentication [1].

Exploitation

No authentication is required to exploit this issue. An attacker with network access to the affected device can craft a malicious HTTP GET request directed at a particular endpoint of the embedded web server. The exact endpoint is not publicly detailed, but the request triggers the password change operation without any session or credential validation [1].

Impact

Successful exploitation grants the attacker the ability to change the web interface password, leading to unauthorized access and account takeover. This can result in loss of the device's embedded web server availability, as legitimate users may be locked out or the web interface compromised for further malicious actions [1].

Mitigation

Rockwell Automation has released firmware version 2.013 which corrects this issue. Users should update all affected devices (catalog numbers 1794-AENTR and 1794-AENTRXT) to firmware 2.013 or later. No workarounds are documented, and this CVE is not listed as a Known Exploited Vulnerability (KEV) as of the advisory publication [1].