Rockwell Automation FLEX I/O EtherNet/IP Adapters

Plan PatchCVSS 9.4ICS-CERT ICSA-26-167-05Jun 16, 2026

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation FLEX I/O EtherNet/IP adapters contain vulnerabilities in authentication and input validation that allow remote attackers to gain unauthorized access without credentials, potentially taking over accounts and causing loss of availability. The 1794-AENTR and 1794-AENTRXT models are affected; all versions of dual-port EtherNet/IP adapters lack vendor patches.

What this means

What could happen

An attacker with network access to an EtherNet/IP adapter could gain unauthorized control of the device, potentially taking over engineering credentials and causing process disruptions or shutdown of FLEX I/O modules in your facility.

Who's at risk

Water authorities and municipal electric utilities using Rockwell Automation FLEX I/O modules with EtherNet/IP adapters in remote terminal units (RTUs), programmable logic controllers (PLCs), or distributed I/O systems should assess their use immediately. This affects equipment in treatment plants, pump stations, substations, and distributed control nodes.

How it could be exploited

An attacker sends a crafted network packet to the EtherNet/IP adapter on port 44818 without needing any credentials. The adapter mishandles the request due to improper input validation or missing authentication checks, allowing the attacker to execute commands or modify device settings remotely.

Prerequisites

Network access to the EtherNet/IP adapter on its standard port (44818 or configured EtherNet/IP port)
The adapter must be reachable from an untrusted network segment or the internet

remotely exploitableno authentication requiredlow complexityhigh CVSS 9.4 scorecritical severityaffects I/O control devices

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (3)

2 pending1 EOL

ProductAffected VersionsFix Status

1794-AENTR: V2.012V2.012No fix yet

1794-AENTRXT: V2.012V2.012No fix yet

FLEX I/O Dual-port EtherNet/IP AdaptersAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to EtherNet/IP adapters at the firewall or network switch level—allow only trusted engineering workstations and the PLC they serve

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate 1794-AENTR adapters to firmware version 2.013 or later

HOTFIXUpdate 1794-AENTRXT adapters to firmware version 2.013 or later

Mitigations - no patch available

0/1

FLEX I/O Dual-port EtherNet/IP Adapters has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate FLEX I/O EtherNet/IP adapters on a separate network segment (VLAN) that does not allow direct access from corporate or untrusted networks

CVEs (2)

CVE-2026-0646 CVE-2026-0647

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a6d32ff-9964-4856-ae82-10dfd0642c6a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.