Rockwell Automation Flex 5000 Adapter Vulnerable to Denial-of-Service
A double-free vulnerability in Rockwell Automation's Flex 5000 Adapter could allow attackers to cause a denial-of-service condition, requiring a module power cycle for recovery.

Rockwell Automation's Flex 5000 Adapter, specifically version 6.011, has been identified as vulnerable to a critical denial-of-service (DoS) flaw, according to a recent advisory from CISA.
The vulnerability, cataloged as CVE-2026-12659, stems from an improper handling of exceptional conditions when processing crafted CIP (Common Industrial Protocol) packets. This flaw is described as a "double-free" vulnerability, a type of memory corruption issue where a program attempts to free a memory location that has already been freed, leading to instability and potential crashes.
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to disrupt the normal operation of the affected adapter. The impact of such an attack would be a denial-of-service condition, rendering the module and its associated input/output (I/O) inoperable. Recovery from this state requires a manual power cycle of the affected module.
The affected product is the Rockwell Automation Flex 5000 Adapter, version 6.011. This product is deployed globally across critical infrastructure sectors, including critical manufacturing and information technology, highlighting the potential widespread impact of this vulnerability.
Rockwell Automation has released a patch for this vulnerability, recommending users upgrade to version 6.012 of the Flex 5000 Adapter. For organizations unable to immediately apply the update, Rockwell Automation provides security best practices and a specific security advisory (SD1789) with mitigation guidance.
The Common Vulnerabilities and Exposures (CVE) scoring for this vulnerability indicates a high severity. The CVSS v3.1 score is 7.5 (HIGH), with a vector string indicating network accessibility, low complexity, no privileges required, and no user interaction needed for exploitation, leading to a complete loss of availability. The CVSS v4.0 score is 8.7 (HIGH).
CISA recommends that organizations minimize network exposure for all control system devices, isolate them behind firewalls, and use secure remote access methods like VPNs. While no public exploitation has been reported at this time, proactive patching and adherence to security best practices are crucial for protecting industrial control systems.
This advisory serves as a reminder of the ongoing security challenges within the industrial control systems (ICS) landscape, where vulnerabilities in widely deployed hardware can have significant operational consequences.