How is CVE-2026-0646 exploited?

Network reachability (required): The attacker must be able to reach the adapter's EtherNet/IP service over the network; any host with network access to the adapter is a potential source of exploit traffic. Authentication (not-required): No credentials or account of any privilege level are needed to send the malformed CIP requests that trigger the fault. Victim interaction (not-required): The adapter processes incoming CIP requests autonomously; no operator or user action is required to trigger the vulnerability. Attack complexity (info): Exploit conditions are straightforward and reliable - no race conditions, specific memory layout, or environmental dependencies are required to trigger the fault.

What is the impact of CVE-2026-0646?

Crashes the 1794-AENTR adapter, taking it offline and dropping all communication with its attached I/O modules. Severs real-time control signals between the adapter and connected I/O devices, disrupting any process or machinery dependent on those signals. Requires a manual, physical reset of the adapter to restore operation, extending downtime beyond the initial crash.

Back to search

HIGHCVE-2026-0646Published 2026-06-16Modified 2026-06-16CNA Rockwell

CVE-2026-0646: Rockwell Automation FLEX I/O Dual-port EtherNet/IP Adapters – Multiple Vulnerabilities

A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to recover.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the Rockwell Automation FLEX I/O 1794-AENTR EtherNet/IP adapter, caused by improper memory handling of CIP (Common Industrial Protocol) protocol requests. The vulnerability is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any host that can reach the adapter. Successful exploitation crashes the adapter and severs its connection to all attached I/O modules, requiring a manual reset to restore operation. No fix version has been published; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream releases one.

HarborGuard Coverage

Detection

Detection of CVE-2026-0646 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected adapter firmware or management tooling at version 2.012.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Rockwell publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the adapter's EtherNet/IP service over the network; any host with network access to the adapter is a potential source of exploit traffic.
AuthenticationNot required
No credentials or account of any privilege level are needed to send the malformed CIP requests that trigger the fault.
Victim interactionNot required
The adapter processes incoming CIP requests autonomously; no operator or user action is required to trigger the vulnerability.
Attack complexityDetail
Exploit conditions are straightforward and reliable - no race conditions, specific memory layout, or environmental dependencies are required to trigger the fault.

Blast Radius

Crashes the 1794-AENTR adapter, taking it offline and dropping all communication with its attached I/O modules.
Severs real-time control signals between the adapter and connected I/O devices, disrupting any process or machinery dependent on those signals.
Requires a manual, physical reset of the adapter to restore operation, extending downtime beyond the initial crash.

How HarborGuard Handles This

Available on HarborGuard: detection and advisory monitoring for CVE-2026-0646 are active for all connected customer environments. Because Rockwell Automation has not yet published a remediated firmware or software version, there is currently no patched image to build from. HarborGuard will re-evaluate the advisory on every ingest cycle and make a patched-image rebuild available automatically once an upstream fix is released; for customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger without manual steps. In the interim, compensating controls worth considering include network-policy rules that restrict CIP traffic to known, authorized sources only; isolating the adapter segment behind an industrial firewall or unidirectional gateway; and enabling any available rate-limiting or connection-filtering features on intervening switches to reduce the adapter's exposure to unsolicited CIP requests.

See how HarborGuard automates this

Affected packages

Rockwell Automation / FLEX I/O EtherNet/IP Adapters
2.012

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

rockwellautomation.com

Metrics

Get notified