Two vulnerabilities in Rockwell Automation’s FLEX I/O EtherNet/IP adapters carry a CVSS score of 9.4, underscoring the severity of the flaws and the need for swift action. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished Rockwell’s advisory SD1775 on June 16, 2026, amplifying the warning for critical infrastructure operators. The affected devices—the 1794-AENTR and 1794-AENTRXT modules running firmware version 2.012—serve as communication bridges between field devices and higher-level controllers in industrial environments. If exploited, these flaws could let unauthenticated attackers execute malicious code, disrupt operations, or traverse network segments, putting entire production lines at risk.

This development is not an isolated incident but part of a growing pattern of vulnerabilities in industrial Ethernet equipment. The FLEX I/O platform, widely deployed across manufacturing, energy, water treatment, and logistics, is a staple in modern automation. When the adapters that knit these systems together become attack vectors, the blast radius can extend far beyond a single controller. Plant managers and security teams must now scramble to assess their exposure and apply Rockwell’s firmware update before threat actors reverse-engineer the advisories and craft working exploits.

Vulnerability Details

The flaws reside in the firmware of the two EtherNet/IP adapter models (1794-AENTR and 1794-AENTRXT), catalog number variations that differ mainly in temperature rating and connector type. While Rockwell’s advisory did not assign separate CVE identifiers, the pair of issues collectively earned a CVSS v3.1 base score of 9.4, categorized as critical. The vector string points to network-based, low-complexity attacks that require no privileges or user interaction. This means a remote adversary can potentially compromise an adapter by sending specially crafted packets to its IP address, with no authentication necessary.

  • Affected products: 1794-AENTR (standard temperature) and 1794-AENTRXT (extended temperature) FLEX I/O EtherNet/IP adapters, firmware revision 2.012 and earlier.
  • Vulnerability type: Likely stack-based buffer overflow and improper input validation, given their prevalence in similar advisories for embedded IP stacks.
  • Attack surface: The adapter’s EtherNet/IP listener service, typically exposed on TCP/UDP port 44818, is the most common entry point. Other management services such as HTTP (port 80), HTTPS (port 443), or CIP Security may also be involved.
  • Impact: Remote code execution (RCE) with the privilege level of the firmware process, denial of service (DoS) causing adapter reboots or lockups, and potential network lateral movement if the device sits on a flat industrial network.

Without detailed CVE write-ups from Rockwell, security researchers and operators must extrapolate from typical vulnerability classes. Stack-based buffer overflows in industrial protocols remain common, as many legacy implementations were coded in memory-unsafe languages without modern exploit mitigations. The CVSS score of 9.4 aligns with a scenario where an attacker can reliably crash the device or overwrite the instruction pointer, leading to arbitrary code execution.

Technical Breakdown: How the Flaws Could Be Exploited

Industrial control systems (ICS) built on EtherNet/IP inherit the same TCP/IP risks as enterprise networks but add the deterministic, real-time demands of factory-floor communications. The 1794-AENTR adapters manage input/output (I/O) data exchange between programmable logic controllers (PLCs) and field I/O modules over the Common Industrial Protocol (CIP). When crafted payloads exploit a firmware bug, the adapter may interpret malformed CIP messages as executable code, bypassing the normal command parsing logic.

An attacker’s kill chain might unfold as follows:
1. Reconnaissance: Scanning internet-facing or poorly segmented corporate-IT/OT gateways for devices responding on port 44818, with HTTP server signatures matching the adapter’s web management page.
2. Weaponization: Constructing a malicious CIP packet that overflows a fixed-length buffer, overwriting the return address to redirect execution to attacker-controlled memory or to a “jmp esp” gadget within the firmware.
3. Delivery: Sending the packet directly to the adapter’s IP address, often achievable through an unprotected network boundary.
4. Exploitation: The adapter’s main loop succumbs to the overflow, landing on shellcode that sets up a reverse shell, disables safety watchdog timers, or modifies I/O mappings.
5. Post-exploitation: Pivoting to the PLC and downstream drives, valves, or sensors, altering process setpoints, deleting logic, or building a persistent backdoor in the adapter’s limited flash storage.

Because these adapters lack host-based intrusion detection or sandboxing, a successful exploit grants near-complete control over the I/O subsystem. In a high-stakes environment like a chemical plant or power substation, this could trigger physical damage, environmental release, or extended downtime. The 9.4 rating reflects not just technical severity but the potential for impactful loss of control and safety system bypass.

CISA’s Role and Why the Advisory Was Republished

CISA routinely reviews and republishes vendor advisories that meet the threshold for ICS security alerts, especially when they concern devices designated as critical infrastructure. The republishing of SD1775 on June 16, 2026, signals that the agency’s ICS-CERT division assessed the FLEX I/O vulnerabilities as having significant potential for exploitation in the wild. While CISA’s original advisory process involves coordinated disclosure with the vendor, the republishing step often occurs when:
- The fix was already available, but asset owners have not patched at scale.
- The technical details are now sufficiently public that working exploits are likely.
- New intelligence suggests active scanning or attempted exploitation.

In the note accompanying the republished advisory, CISA typically includes recommendations to download the latest firmware, deploy network segmentation, and monitor for anomalous traffic on TCP/44818. The agency’s Known Exploited Vulnerabilities (KEV) catalog may also be updated if evidence of real-world exploitation emerges. As of this writing, the FLEX I/O flaws have not been added to the KEV, but the republishing is a strong prod to patch immediately before that designation becomes necessary.

Rockwell Automation’s Mitigation and Available Fixes

Rockwell’s advisory SD1775 details the corrective firmware version that resolves both vulnerabilities. Asset owners should immediately upgrade to firmware revision 3.011 or later for their affected 1794-AENTR and 1794-AENTRXT adapters. The update includes rewrites of the packet parsing routines to include boundary checks and input sanitization.

For organizations unable to apply the firmware immediately, Rockwell and CISA recommend a series of compensatory controls:
- Segment the OT network: Place the adapters in a dedicated, firewalled subnetwork using VLANs or physical segmentation. Restrict access to port 44818 (TCP/UDP) to only the necessary PLCs and engineering workstations.
- Disable unused services: If the adapter’s web interface (HTTP/HTTPS) or EtherNet/IP services are not required, disable them via configuration.
- Enable CIP Security: Where supported, implement CIP Security for authentication and data integrity; however, older adapters may lack this capability.
- Restrict physical access: Prevent unauthorized personnel from connecting directly to the adapter’s Ethernet ports.
- Monitor traffic: Deploy anomaly-based OT-specific intrusion detection systems (IDS) to flag malformed CIP messages or unexpected scan activities.

A key supply-chain risk persists: some FLEX I/O modules shipped before the fix may remain in inventory at distributors or already installed in machines that are offline or poorly inventoried. A concerted asset discovery effort is essential to locate every vulnerable adapter, especially those in remote substations, packaged skids, or temporary test rigs.

The Wider OT Security Picture

Industrial Ethernet adapters have become a focal point for cyber threats as legacy serial interfaces give way to IP-based connectivity. The FLEX I/O platform, introduced years ago, illustrates how long-lived industrial hardware can outpace security updates. While Rockwell has been proactive in hardening its newer products, the embedded nature of these adapters—with limited CPU, memory, and update mechanisms—leaves them susceptible to bugs that a modern OS would block with DEP, ASLR, or stack canaries.

The CVSS 9.4 rating places these vulnerabilities on par with the infamous Ripple20 and URGENT/11 flaws that shook the OT world in recent years. The common thread is fragility in the protocol stacks shared across countless device families. When such a flaw is disclosed, it not only affects Rockwell’s adapters but potentially any third-party EtherNet/IP stack derivative used in other manufacturers’ equipment. This systemic risk underscores why industrial cybersecurity demands a holistic, defense-in-depth approach rather than a simple “patch and forget” mentality.

A 2025 survey by the SANS Institute revealed that 67% of OT security incidents in the manufacturing sector involved unpatched firmware vulnerabilities. The average time to patch a known critical flaw in an industrial environment exceeds 200 days, a gap that adversaries eagerly exploit. Republishing of advisories like SD1775 serves as a forced reminder to asset owners who might otherwise postpone updates to the next scheduled maintenance window.

Given the criticality, organizations using the 1794-AENTR and 1794-AENTRXT should follow a structured remediation workflow:

Step Action Priority Timeline
1. Inventory all FLEX I/O adapters and record firmware versions Immediate 1 business day
2. Isolate vulnerable adapters behind firewalls with deny-all policies except necessary control traffic Immediate Within hours
3. Review network diagrams to confirm segmentation between IT, OT, and DMZ High Within 1 week
4. Download and test firmware v3.011 in a non-production environment High 1-2 weeks
5. Schedule a maintenance window to upgrade all affected adapters Immediate planning 2-4 weeks
6. Monitor for exploitation attempts post-patch Ongoing Continuous
7. Conduct a penetration test focusing on the EtherNet/IP infrastructure High 1-3 months

By following this playbook, plant operators can dramatically reduce their exposure even before a patch is applied. The critical first step—asset discovery—often trips up organizations that have merged, deployed third-party machines, or lost documentation over the years. A network scan using passive fingerprinting techniques can reveal the type and version of adapters without disturbing active production traffic.

Conclusion and Forward Look

The republishing of Rockwell Automation advisory SD1775 with a CVSS 9.4 severity is a clear signal that the window of safe operation is closing. Industrial asset owners cannot rely on security through obscurity or air gaps that no longer exist in today’s hyperconnected plants. The two flaws in the FLEX I/O EtherNet/IP adapters highlight a broader industry challenge: maintaining secure code in deeply embedded, long-lived operational technology.

As manufacturers increasingly demand remote access, analytics, and IT/OT convergence, the attack surface of devices like the 1794-AENTR will only expand. The good news is that the firmware fix is available and straightforward to deploy. The hard work is in finding every device, securing the surrounding network, and establishing processes to rapidly absorb future industrial security advisories. Complacency is the real enemy here—and at a CVSS of 9.4, there is no room for delay.