CVE-2026-0647

N/A

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, account takeover, and cause loss of availability. The following versions of R...

Affects 0 products across 1 vendor.

CVSS v48.8
EPSS0.4%
Percentile35th
PatchUnknown
CWE Weakness Definitions
CWE-306: Missing Authentication for Critical Function

Software does not perform any authentication for functionality that requires a verified identity.

◆ SAGE Intelligence — CITED Relevance Research Team

Rockwell Automation FLEX I/O EtherNet/IP Adapters (1794-AENTR and 1794-AENTRXT, firmware V2.012) contain a memory management vulnerability (Missing Release of Memory) that can be exploited to cause loss of availability, unauthorized access, and account takeover. An attacker with network access to the EtherNet/IP adapter can trigger resource exhaustion, potentially crashing or destabilizing the device and disrupting industrial I/O operations. With a CVSS v3 score of 9.4, this is a critical-severity issue in OT environments where FLEX I/O adapters are commonly used in manufacturing and process control systems.

Is this CVE in your environment?

BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.

Check My Environment →
Frequently Asked Questions
What is CVE-2026-0647?
Rockwell Automation FLEX I/O EtherNet/IP Adapters (1794-AENTR and 1794-AENTRXT, firmware V2.012) contain a memory management vulnerability (Missing Release of Memory) that can be exploited to cause loss of availability, unauthorized access, and account takeover. An attacker with network access to the EtherNet/IP adapter can trigger resource exhaustion, potentially crashing or destabilizing the device and disrupting industrial I/O operations. With a CVSS v3 score of 9.4, this is a critical-severi
Is CVE-2026-0647 actively exploited?
No confirmed active exploitation of CVE-2026-0647 as of 2026-06-24.
How do I remediate CVE-2026-0647?
Vendor advisory references remediation for CVE-2026-0646 and CVE-2026-0647 affecting 1794-AENTR and 1794-AENTRXT V2.012; fixed firmware version not yet publicly confirmed. Monitor Rockwell Automation Security Advisory portal for updated firmware release. Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories.html
What systems are affected by CVE-2026-0647?
CVE-2026-0647 affects: Rockwell Automation.
Vulnerability Details
CVE IDCVE-2026-0647
Published2026-06-16
Last Modified2026-06-16
ICS Relevance70%
Weakness (CWE)
Protocols
SourceNVD
Official Description

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, account takeover, and cause loss of availability. The following versions of Rockwell Automation FLEX I/O EtherNet/IP Adapters are affected: 1794-AENTR V2.012 (CVE-2026-0646, CVE-2026-0647) 1794-AENTRXT V2.012 (CVE-2026-0646, CVE-2026-0647) CVSS Vendor Equipment Vulnerabilities v3 9.4 Rockwell Automation Rockwell Automation FLEX I/O EtherNet/IP Adapters Missing Release of Memory

Source: NIST NVD / MITRE CVE Database

Affected Products
VendorProductFixed Version
Rockwell Automation —
Remediation

Vendor advisory references remediation for CVE-2026-0646 and CVE-2026-0647 affecting 1794-AENTR and 1794-AENTRXT V2.012; fixed firmware version not yet publicly confirmed. Monitor Rockwell Automation Security Advisory portal for updated firmware release.

View Vendor Advisory →
Threat Intelligence
● Threat Intelligence Validated: July 2026 | Threat Age: 26 Days
CISA KEVNot in KEV catalog
Public ExploitNot confirmed
PoC CodeNot confirmed
● Virtual Patch — CITED Relevance SAGE Engine MEDIUM CONFIDENCE

Deploy rate-limiting and connection-count rules on EtherNet/IP TCP port 44818 and UDP port 2222 at the nearest network perimeter device (industrial firewall or managed switch) facing the FLEX I/O adapters. Block all inbound EtherNet/IP traffic from unauthorized source IPs, and alert on high-frequency connection attempts from any single source to the adapter. Place rules on industrial DMZ firewalls and IDPS sensors monitoring OT network segments.

No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.

Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.

Related CVEs affecting Rockwell Automation
CVE-2017-16740 10.0 A Buffer Overflow issue was discovered in Rockwell Automation Allen-Bradley M... CVE-2012-4715 10.0 Buffer overflow in LogReceiver.exe in Rockwell Automation RSLinx Enterprise C... CVE-2009-3739 10.0 Multiple unspecified vulnerabilities on the Rockwell Automation AB Micrologix... CVE-2016-9343 10.0 An issue was discovered in Rockwell Automation Logix5000 Programmable Automat... CVE-2020-14516 10.0 In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.1...
View all Rockwell Automation CVEs →

ICS/OT Vulnerability Intelligence for Your Environment

BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.

Join free →