Rockwell Automation patches multiple ICS flaws

Rockwell Automation has disclosed two security advisories that reveal several Rockwell Automation vulnerabilities across its industrial product line. Published on June 16, 2026, the advisories cover the FactoryTalk Historian Site Edition platform and the FLEX I/O dual-port EtherNet/IP adapters. CISA republished both the same day, urging critical-manufacturing operators to act.

So far, none of the flaws appear in the CISA Known Exploited Vulnerabilities catalog. Even so, two of them carry critical severity scores. Therefore, patching should not wait for the next maintenance window.

FactoryTalk Historian: authentication bypass headlines SD1773

Advisory SD1773 lists three issues in FactoryTalk Historian SE. The most serious is CVE-2025-13036, an authentication bypass scored 9.2 under CVSS 4.0.

The root cause is a race condition on the login endpoint. According to Rockwell, an attacker “may obtain a valid authentication token” simply by flooding that endpoint with requests. As a result, an unauthenticated actor could slip past login controls and reach sensitive process data.

The other two bugs, CVE-2025-44019 and CVE-2025-36539, affect AVEVA PI Data Archive components. Both stem from an uncaught exception. However, they require an authenticated user, and their impact is limited to a denial of service. Rockwell corrected all three flaws in version 12.00.00.

FLEX I/O adapters: a 9.4 password-change flaw

The second cluster of Rockwell Automation vulnerabilities targets the 1794-AENTR and 1794-AENTRXT adapters. These devices bridge FLEX I/O modules and Logix controllers across EtherNet/IP networks.

Advisory SD1775 describes the most alarming flaw, CVE-2026-0647, which earns a 9.4 CVSS v3.1 score. Rockwell warns that the issue “allows an unauthenticated attacker to change the device’s web interface password.” Consequently, an attacker could seize the account and lock out legitimate engineers.

The companion bug, CVE-2026-0646, is a denial-of-service condition. Improper memory handling of CIP requests can fault the adapter and sever its link to attached I/O modules. Afterward, recovery demands a manual reset. Firmware version 2.013 fixes both problems.

Why these matter for OT defenders

Together, the advisories underline a familiar lesson for operational technology. Data historians and edge adapters sit deep inside the plant, yet attackers increasingly reach them. Therefore, defenders should treat unauthenticated, network-facing flaws as urgent priorities.

For teams that cannot patch right away, segmentation buys time. Operators should restrict the FLEX I/O web interface and EtherNet/IP services to trusted hosts only. Likewise, they should limit access to PI Data Archive port 5450 and watch the related subsystems for unexpected restarts.

Ultimately, these Rockwell Automation vulnerabilities are straightforward to remediate once identified. The harder challenge, as always, is finding every affected device before an attacker does.