Source linked

Critical Rockwell FLEX I/O Bug Lets Anyone Reset the Web Password via HTTP GET

cisa.gov@threat_watch1 hour ago·Cybersecurity·0 comments

CVE-2026-0647 scores a CVSS 9.4 - an unauthenticated attacker can change the embedded web server password with a single crafted HTTP GET request, gaining full control of the adapter.

rockwell automationcisacve 2026 0647icsindustrial control systemsot security

CVSS 9.4 for a password reset that requires nothing more than an HTTP GET request. That's the ugly reality of CVE-2026-0647, a missing-authentication vulnerability in Rockwell Automation's 1794-AENTR and 1794-AENTRXT FLEX I/O EtherNet/IP adapters.

The Flaw That Shouldn't Exist

Rockwell's own advisory admits the embedded web server allows an unauthenticated attacker to change the device's password by sending a crafted HTTP GET to a specific endpoint. No prior login, no session token, no challenge. Just a well-formed request and the attacker owns the web interface. That leads to unauthorized access, account takeover, and effectively a bricked web server for the legitimate operator.

CVE-2026-0646 pairs with it: a denial-of-service bug caused by improper memory handling of CIP protocol requests. A single malformed packet can fault the adapter, dropping the connection to all attached I/O modules. Recovery requires a manual reset on the factory floor. CVSS 7.5, but in a production line every minute of downtime costs real money.

Affected Gear and the Fix

Both vulnerabilities hit the 1794-AENTR and 1794-AENTRXT running firmware version V2.012. Rockwell shipped the fix in version 2.013, detailed in security advisory SD1775. CISA's advisory notes that these devices are deployed worldwide across critical manufacturing sectors. If you have these in a control network, you should treat them as compromised until patched.

No exploitation in the wild reported yet, but the attack surface is trivial. An unauthenticated HTTP GET to change a password is not something that requires nation-state resources; any script kiddie with a Shodan scan could pull it off.

What You Should Do

Update to 2.013 immediately. Also isolate these adapters from any network that touches the internet or untrusted zones. Rockwell's recommended practices line up with CISA's: firewalls, VPNs, and defense-in-depth. But the biggest single action is the firmware update - that closes both doors at once.

This pair of vulnerabilities is a reminder that industrial gear's web interfaces are often an afterthought, and that afterthought can hand an attacker the keys to the plant floor.

Source: Rockwell Automation FLEX I/O EtherNet/IP Adapters
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Crafted CIP Message Can Crash Rockwell Logix PLCs, No Auth Needed

A denial-of-service vulnerability in Rockwell's CompactLogix and ControlLogix controllers allows remote attackers to trigger a major nonrecoverable fault using a single crafted CIP packet.

Stack Overflow in Rockwell RSLinx Classic Opens Door to Remote Code Execution

CVE-2020-13573 scores 8.7 under CVSS 4.0 and impacts critical infrastructure sectors: manufacturing, energy, food/agriculture, and water/wastewater.

Cloudflare DMARC Management GA Spots SPF Lookup Limits Before Email Breaks

New dashboard surfaces DMARC, SPF, DKIM, and BIMI record status in one view, and includes an SPF lookup audit that catches the silent 10-lookup limit before it causes permerror.

Anthropic's Fable 5 Shutdown Undercuts Cybersecurity Defense

Mozilla and Cloudflare used Anthropic's Mythos and Fable models to find hundreds of vulnerabilities. Now the US has blocked the models for all users.

Comments load interactively on the live page.