CISA Warns of Critical Auth Bypass and DoS Flaws in Rockwell Automation FLEX I/O Adapters
CISA disclosed two vulnerabilities in Rockwell Automation FLEX I/O EtherNet/IP adapters, including a critical authentication bypass (CVE-2026-0647) and a high-severity denial-of-service flaw (CVE-2026-0646).
CISA has published an advisory detailing two vulnerabilities in Rockwell Automation's FLEX I/O EtherNet/IP adapters, specifically the 1794-AENTR and 1794-AENTRXT models running firmware version 2.012. The flaws include a critical authentication bypass (CVE-2026-0647) and a high-severity denial-of-service (DoS) vulnerability (CVE-2026-0646), both of which could allow remote attackers to compromise industrial control systems. Rockwell Automation has released version 2.013 to address the issues.
The most severe vulnerability, CVE-2026-0647, carries a CVSS v3 base score of 9.4 and stems from missing authentication for critical functions in the device's embedded web server. According to the advisory, an unauthenticated attacker can change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint. Exploitation could lead to unauthorized access, account takeover, and loss of availability of the web server. This flaw is particularly dangerous because it requires no prior authentication and can be executed remotely over the network.
The second vulnerability, CVE-2026-0646, is a high-severity DoS issue with a CVSS v4 score of 8.7. It is caused by improper memory handling of CIP protocol requests, which can cause the adapter to fault and lose connection to its associated I/O modules. A manual reset is required to recover from this condition. While this flaw does not allow data theft or code execution, it can disrupt critical manufacturing processes by taking I/O modules offline.
Both vulnerabilities affect the Rockwell Automation 1794-AENTR and 1794-AENTRXT adapters running version 2.012. These devices are used in industrial control systems across the Critical Manufacturing sector and are deployed worldwide. Rockwell Automation recommends that users update to firmware version 2.013 to remediate the vulnerabilities. For more details, users can refer to Rockwell Automation's security advisory SD1775 here.
CISA advises organizations to minimize network exposure for control system devices and ensure they are not accessible from the internet. Additional recommendations include using firewalls and VPNs for remote access, and following defense-in-depth strategies. As of the advisory's publication, no public exploitation of these vulnerabilities has been reported. However, given the critical nature of the authentication bypass, the potential for targeted attacks remains a concern.
This advisory highlights the ongoing risks facing industrial control systems, where vulnerabilities in network adapters can expose critical infrastructure to remote compromise. Organizations using Rockwell Automation products should prioritize patching and review their security posture to prevent potential disruptions or unauthorized access.