Rockwell Automation: 11 Vulnerabilities Disclosed, Including Critical Flaw in EtherNet/IP Adapter
Key findings • 11 Rockwell Automation vulnerabilities disclosed July 14-16, 2026, including one critical flaw. • High-severity DoS vulnerabilities affect Flex 5000, Compact/ControlLogix contr…

Key findings
- 11 Rockwell Automation vulnerabilities disclosed July 14-16, 2026, including one critical flaw.
- High-severity DoS vulnerabilities affect Flex 5000, Compact/ControlLogix controllers, and communication modules.
- Critical CVE-2026-10577 allows unauthenticated remote access to critical functions on 1715-AENTR adapter.
- Arbitrary code execution possible in Rockwell Arena simulation software due to memory corruption.
- Stored XSS vulnerability found in FactoryTalk DataMosaix Private Cloud.
- Affected products range from industrial controllers and adapters to simulation and cloud software.
On July 16, 2026, a significant batch of 11 vulnerabilities was disclosed across multiple Rockwell Automation products, with one critical vulnerability disclosed two days prior on July 14th. These vulnerabilities, spanning denial-of-service, arbitrary code execution, and stored cross-site scripting, impact a range of industrial control systems and software, including communication modules, controllers, simulation software, and cloud platforms. The disclosures highlight potential risks to operational integrity and data security within critical manufacturing and IT sectors.
Several high-severity denial-of-service (DoS) vulnerabilities were detailed:
- CVE-2026-12659 affects the Flex 5000 Adapter, stemming from improper handling of crafted CIP packets, requiring a power cycle for recovery. N5
- CVE-2025-11698, CVE-2025-12011, and CVE-2025-12012 impact CompactLogix, ControlLogix, Compact GuardLogix, and GuardLogix controllers. These vulnerabilities allow a malicious user to load invalid projects or write invalid data, leading to a major non-recoverable fault (MNRF). Versions up to V35.015 for 5370 controllers and V34.012/V35.011 for 5380/5480/5580 controllers are affected. N2
- CVE-2026-9653 affects communication modules 1756-EN2, 1756-EN3, and 1756-ENBT due to improper validation of CIP Implicit Connection packets, leading to disrupted device connections. Affected versions include 1756-EN3 <=V12.001, 1756-EN2 <=V12.001, and 1756-ENBT V6.006. N1
A critical vulnerability, CVE-2026-10577, with a CVSS score of 10.0, was disclosed on July 14th, affecting the 1715-AENTR EtherNet/IP Adapter. This issue involves a network-accessible debug port lacking proper privilege controls, allowing unauthenticated remote access to intrusive CLI commands. Exploitation could lead to reading or deleting files, stopping tasks, modifying memory, and altering I/O states, impacting confidentiality, integrity, and availability. Versions up to 3.003 are affected. N6
Four high-severity vulnerabilities (CVE-2026-8085, CVE-2026-8312, CVE-2026-8313, CVE-2026-8314) were found in Rockwell Automation Arena simulation software. These memory corruption vulnerabilities in various Siman components (model.exe, expmt.exe, linker.exe, siman.exe) stem from improper validation of user-supplied data, potentially allowing arbitrary code execution. All affected versions are Arena <=V17.00.00. N4
Additionally, a medium-severity Stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-9292, exists in FactoryTalk DataMosaix Private Cloud. An authenticated attacker with high privileges could inject malicious scripts into the Workflows configuration, which are then permanently stored. Affected versions are DataMosaix Private Cloud <=8.02. N3
The batch of disclosures, primarily on July 16, 2026, with one critical finding on July 14th, underscores the importance of timely patching and security configuration for Rockwell Automation products. Users are advised to consult the provided CISA advisories and Rockwell Automation's security documentation for specific mitigation steps and version updates to address these vulnerabilities and protect their operational technology environments. The breadth of affected products indicates a need for a comprehensive review of security postures across the Rockwell Automation ecosystem.