Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network GET to a password-change endpoint gives PR:N/UI:N/AC:L; takeover yields I:H/A:H, with C:L reflecting limited direct data disclosure from the primitive itself.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication being required. If exploited, this could lead to unauthorized access, account takeover, and loss of the device’s embedded web server’s availability.
AnalysisAI
Unauthenticated password change in Rockwell Automation 1794-AENTR Flex I/O EtherNet/IP adapter's embedded web server allows remote attackers to overwrite the web interface password via a crafted HTTP GET request to a specific endpoint, enabling full account takeover of the industrial device. The flaw, reported by Rockwell and tracked as CVE-2026-0647 with a CVSS 4.0 base score of 8.8, has no public exploit identified at time of analysis but is trivially exploitable given no authentication, no user interaction, and low attack complexity over the network.
Technical ContextAI
The affected device is the Rockwell Automation 1794-AENTR Flex I/O EtherNet/IP communications adapter (CPE cpe:2.3:a:rockwell_automation:flex_i/o_ethernet/ip_adapters:*), an industrial network adapter that bridges Flex I/O modules to EtherNet/IP networks commonly deployed in OT and ICS environments. The underlying weakness is CWE-306 (Missing Authentication for Critical Function): the embedded web server exposes a password-change endpoint that processes HTTP GET requests without verifying the requester's identity or existing credentials, meaning the credential-management function - which should be gated by authentication - is reachable by any network peer. Because the password change is triggered via GET, it is also potentially susceptible to off-path delivery such as embedded image/link requests from a browser on the same network segment.
RemediationAI
Patch available per vendor advisory - consult Rockwell Automation advisory SD1775 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1775.html) for the exact fixed firmware version and apply it to all 1794-AENTR adapters. Until firmware can be updated, restrict network access to the adapter's embedded web server by placing devices behind an ICS firewall or DMZ, blocking inbound HTTP (TCP/80) to the adapter from non-engineering subnets, and disabling the web interface entirely if the deployment does not require it (trade-off: loss of browser-based diagnostics and configuration, which must be done via Studio 5000 or other Rockwell tooling instead). Segment OT networks per IEC 62443 zones and conduits so that the adapter is never reachable from IT, vendor remote-access, or Internet-facing paths, and monitor for unexpected HTTP GETs to password-change endpoints on adapter IPs.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37122
GHSA-vhq6-x73f-hjjx