CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (9.4) and Logix CIP DoS, flagged by NCSC-CH

Rockwell disclosed five ICS CVEs on 2026-06-16, consolidated by NCSC-CH on 2026-06-17 and CISA ICS-CERT, headlined by an unauthenticated FLEX I/O password reset (CVE-2026-0647, 9.4) and Logix CIP denial-of-service flaws (CISA ICS-CERT ICSA-26-167-05; NCSC-CH Security Hub; daily 06-18). Directly relevant to Swiss/EU energy, water and manufacturing OT operators. Patch on the OT change-management cycle and verify these controllers are not reachable from IT networks.