Rockwell patches critical 1794-AENTR and AENTRXT flaws
The ugly part is not the CVSS score; it is unauthenticated password change on production I/O gear.
TL;DR
CISA republished Rockwell Automation advisory SD1775 for two FLEX I/O EtherNet/IP Adapter vulnerabilities affecting 1794-AENTR and 1794-AENTRXT v2.012. CVE-2026-0647 lets an unauthenticated attacker change the embedded web interface password with a crafted HTTP GET request; CVE-2026-0646 can fault the adapter and disconnect I/O modules until manual reset. Rockwell recommends updating to v2.013, but the advisory does not say what the deployment window looks like for running plants.
For defense contractors and primes running Rockwell FLEX I/O EtherNet/IP adapters in critical manufacturing environments, this is a patch-planning item with a real operations tail. CVE-2026-0647 carries a CVSS v3.1 score of 9.4 because the embedded web server accepts an unauthenticated crafted HTTP GET request that can change the device's web interface password, creating unauthorized access and account-takeover risk. CVE-2026-0646 is scored lower under CVSS v3.1 at 7.5, but its practical effect is familiar OT pain: improper memory handling of CIP requests can fault the 1794-AENTR adapter, sever its connection to associated I/O modules, and require manual reset to recover.
Rockwell's fix is firmware v2.013 for affected 1794-AENTR and 1794-AENTRXT v2.012 devices. CISA's standard advice still applies: keep control-system devices off the internet, isolate control networks from business networks, use current remote-access tooling, and run impact analysis before making defensive changes. The advisory also says CISA has no reports of known public exploitation targeting these CVEs. What it does not answer is the question the plant engineer actually has to schedule: whether the firmware move can happen cleanly in-place, or whether the remediation becomes a production-window negotiation.
Published ·Deep Fathom