High

Unauthenticated Password Change in Rockwell Automation 1794-AENTR/1794-AENTRXT Embedded Web Server

IdentifiersCVE-2026-0647CWE-306· Missing Authentication for…

CVE-2026-0647 is an improper authentication vulnerability in the embedded web server of Rockwell Automation FLEX I/O EtherNet/IP adapters 1794-AENTR and 1794-AENTRXT. The flaw allows an unauthenticated attacker to send a crafted HTTP GET request to a specific web endpoint and change the device’s web interface password without prior authentication. The issue is described as missing authentication for a critical function in the password-change path of the embedded management interface. Affected versions identified in the provided content include firmware version 2.012, and Rockwell indicates the issue is fixed in firmware version 2.013.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to reset or change the web interface password on the affected adapter without credentials. This can result in unauthorized administrative access to the embedded web server, account takeover of the management interface, and denial of access for legitimate operators or engineers. The provided content also states that exploitation can cause loss of availability of the device’s embedded web server.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the FLEX I/O web interface to trusted hosts only, minimize network exposure, ensure the devices are not reachable from the public internet, place control system networks behind firewalls and isolate them from business networks, and use secure remote access methods such as updated VPNs. The provided content also recommends restricting EtherNet/IP and related management services to trusted systems as an interim control.

Remediation

Patch, then assume compromise.

Upgrade affected 1794-AENTR and 1794-AENTRXT adapters to firmware version 2.013, which Rockwell Automation states fixes CVE-2026-0647.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Rockwell Automation1794-Aentrhardware

Rockwell AutomationFlex I.O. Ethernet.Ip Adaptershardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Jun 19, 2026

Rockwell Automation Vulnerabilities: FactoryTalk, FLEX I/O

A critical vulnerability in Rockwell Automation FLEX I/O 1794-AENTR and 1794-AENTRXT dual-port EtherNet/IP adapters that allows an unauthenticated attacker to change the device web interface password and potentially seize the account.

cvefeed high severityNews

Jun 16, 2026

CVE-2026-0647 - Rockwell Automation FLEX I/O Dual-port EtherNet/IP Adapters - Multiple Vulnerabilities

An improper authentication vulnerability in the Rockwell Automation 1794-AENTR adapter embedded web server that allows an unauthenticated attacker to change the web interface password via a crafted HTTP GET request, potentially causing unauthorized access, account takeover, and availability impact.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-0647

NVD

nvd.nist.gov/vuln/detail/CVE-2026-0647

MITRE CWE · CWE-306

Missing Authentication for Critical Function

rockwellautomation.com

rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1775.html