CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (CVSS 9.4) and Logix CIP denial-of-service, flagged by NCSC-CH

Rockwell Automation disclosed five ICS CVEs on 2026-06-16, consolidated by NCSC-CH on 2026-06-17 (NCSC-CH Security Hub, 2026-06-17). CVE-2026-0647 (CVSS 9.4) lets an unauthenticated attacker reset the admin password on 1794-AENTR / 1794-AENTRXT FLEX I/O EtherNet/IP adapters (firmware ≤ V2.012) by sending a crafted HTTP GET to the adapter's embedded web server, enabling full takeover and I/O disruption (T0866) (CISA ICS-CERT, 2026-06-16). Companion CVE-2026-0646 (CVSS 7.5) is a CIP-handling DoS on the same adapter requiring a manual reset; CVE-2026-11317 (CVSS 7.5) causes a major non-recoverable fault on CompactLogix/ControlLogix 5370/5570 controllers via a crafted CIP message, requiring a full program download to recover (T0814) (CISA ICS-CERT, 2026-06-16); and CVE-2025-13036 (CVSS 7.7) is an authentication bypass in FactoryTalk Historian Site Edition. FLEX I/O fixes ship in firmware 2.013 (Rockwell SD1775); exploitation status is unknown for all. Where firmware cannot be applied immediately, restrict CIP and HTTP/HTTPS access to these devices to engineering workstations via OT segmentation.