How is CVE-2026-0647 exploited?

Network reachability (required): The attacker must reach the adapter's embedded web server over the network; the vulnerable endpoint is exposed via standard HTTP on the device's network interface. Authentication (not-required): No credentials are needed; the vulnerable endpoint accepts the password-change request without any prior authentication check. Victim interaction (not-required): No user action is required; the attacker sends a single crafted HTTP GET request directly to the device. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed to trigger the vulnerability.

What is the impact of CVE-2026-0647?

Attacker replaces the web interface password, immediately locking out all legitimate administrators from the device's management console. Attacker gains full control of the embedded web server interface, enabling configuration changes to the 1794-AENTR adapter. Availability of the device's web management interface is lost for legitimate users for as long as the attacker controls the password. Unauthorized access to adapter settings raises risk of operational disruption to the connected FLEX I/O modules managed through this adapter.

Back to search

HIGHCVE-2026-0647Published 2026-06-16Modified 2026-06-16CNA Rockwell

CVE-2026-0647: Rockwell Automation FLEX I/O Dual-port EtherNet/IP Adapters – Multiple Vulnerabilities

An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication being required. If exploited, this could lead to unauthorized access, account takeover, and loss of the device’s embedded web server’s availability.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper authentication vulnerability exists in the embedded web server of the Rockwell Automation FLEX I/O 1794-AENTR EtherNet/IP adapter. The flaw is reachable over the network without any credentials, and an attacker can exploit it by sending a single crafted HTTP GET request to a specific endpoint. Successful exploitation lets an attacker change the device's web interface password, locking out legitimate users and taking full control of the web management interface. HarborGuard is tracking this advisory for patch availability, as no fix version has been published by Rockwell Automation.

HarborGuard Coverage

Detection

Detection of CVE-2026-0647 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and build pipelines, including custom-built images that embed or bundle the affected adapter firmware components.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH using the CVSS v4.0 vector and weighting it against each customer environment's compliance policy, then routing the finding to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been published by Rockwell Automation, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, compensating controls such as network-policy isolation of the affected adapter's management interface are surfaced in the finding detail.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the adapter's embedded web server over the network; the vulnerable endpoint is exposed via standard HTTP on the device's network interface.
AuthenticationNot required
No credentials are needed; the vulnerable endpoint accepts the password-change request without any prior authentication check.
Victim interactionNot required
No user action is required; the attacker sends a single crafted HTTP GET request directly to the device.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed to trigger the vulnerability.

Blast Radius

Attacker replaces the web interface password, immediately locking out all legitimate administrators from the device's management console.
Attacker gains full control of the embedded web server interface, enabling configuration changes to the 1794-AENTR adapter.
Availability of the device's web management interface is lost for legitimate users for as long as the attacker controls the password.
Unauthorized access to adapter settings raises risk of operational disruption to the connected FLEX I/O modules managed through this adapter.

How HarborGuard Handles This

Available on HarborGuard: because Rockwell Automation has not yet published a fix for CVE-2026-0647, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment an upstream fix is published. For customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads without manual intervention. While no patch exists, HarborGuard surfaces compensating-control recommendations in the finding detail, including network-policy rules to restrict access to the adapter's HTTP management port to trusted management hosts only, egress filtering to limit lateral reachability of the adapter, and feature-flag or firewall-based gating of the web interface where the operational environment permits. Customers whose compliance policy flags unpatched HIGH-severity findings will see this CVE routed automatically to the appropriate team inbox for manual review and interim control implementation.

See how HarborGuard automates this

Affected packages

Rockwell Automation / FLEX I/O EtherNet/IP Adapters
2.012

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

References

rockwellautomation.com

Metrics

Get notified