CVE-2026-12659
Awaiting Analysis Awaiting Analysis - Queue

Denial-of-Service in Allen-Bradley CompactLogix

Vulnerability report for CVE-2026-12659, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Rockwell Automation

Description

A denial-of-service security issue exists in the affected products. The security issue stems from improper handling of exceptional conditions when processing crafted CIP packets sent to the adapter. A power cycle is required to recover the module and associated I/O.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
rockwell_automation flex_5000_ethernet_ip_adapters 6.011
rockwell_automation flex_5000_ethernet_ip_adapters 6.012

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can impact you in the following ways:

  • Denial-of-Service (DoS): An attacker could send crafted CIP packets to the affected adapter, causing it to become unresponsive. This may disrupt industrial processes relying on the module and its associated I/O.
  • Operational Downtime: Recovery requires a power cycle, which may lead to unplanned downtime in critical systems, potentially affecting production or monitoring capabilities.
  • Security Risk: While the vulnerability does not allow for data theft or remote code execution, the disruption of industrial control systems could have cascading effects on safety and reliability.
Executive Summary

CVE-2026-12659 is a high-severity denial-of-service (DoS) vulnerability affecting Rockwell Automation's FLEX 5000 EtherNet/IP Adapters. The issue occurs due to improper handling of exceptional conditions when the adapter processes specially crafted CIP (Common Industrial Protocol) packets.

When exploited, this vulnerability can cause the module and its associated I/O to become unresponsive. A power cycle is required to restore functionality. The vulnerability is classified under CWE-415 (Double Free) and has not been observed in active exploitation.

  • Affected products include Rockwell Automation FLEX 5000 EtherNet/IP Adapters with software version v6.011.
  • The vulnerability is mitigated by upgrading to software version v6.012 or later.
Compliance Impact

The impact of this vulnerability on compliance with common standards and regulations depends on the context of its deployment:

  • GDPR: If the affected system processes personal data of EU citizens, a DoS attack could lead to availability issues, potentially violating GDPR's requirements for data availability and integrity. However, since this vulnerability does not involve data breaches, direct GDPR violations are unlikely unless prolonged downtime affects data processing agreements.
  • HIPAA: For healthcare organizations, if the affected system is part of a network handling protected health information (PHI), a DoS attack could disrupt access to critical systems, potentially violating HIPAA's availability requirements. However, this would depend on whether the system is directly involved in PHI processing.
  • Industrial Standards (e.g., IEC 62443, NIST SP 800-82): The vulnerability could violate requirements for system availability and resilience in industrial control systems. Standards like IEC 62443 emphasize the need for protection against DoS attacks, and failure to mitigate this vulnerability may result in non-compliance.

Overall, while the vulnerability may not directly violate data protection regulations like GDPR or HIPAA, it could still pose compliance risks in environments where system availability and reliability are mandated by industry-specific standards.

Detection Guidance

Detecting this vulnerability on your network or system involves checking for the presence of affected Rockwell Automation FLEX 5000 EtherNet/IP Adapters and monitoring for unusual CIP packet traffic that could trigger the denial-of-service condition.

  • Identify affected devices: Verify if your system uses any of the affected catalog numbers (5094-AENTR, 5094-AENTRXT, 5094-AEN2TR, 5094-AEN2TRXT, 5094-AENSFPR, 5094-AENSFPRXT, 5094-AEN2SFPR, or 5094-AEN2SFPRXT).
  • Check software version: Ensure the adapter is not running software version v6.011. Upgrade to v6.012 or later if necessary.
  • Network monitoring: Use network monitoring tools to detect crafted CIP packets targeting the adapter. Look for unusual patterns or malformed packets sent to the device's EtherNet/IP port (typically UDP port 44818).
  • Behavioral monitoring: Monitor for unresponsive modules or I/O that require a power cycle to recover, as this may indicate exploitation of the vulnerability.

Specific commands or tools for detection are not provided in the context, but you can use standard network analysis tools like Wireshark to inspect CIP traffic. Filter for traffic on UDP port 44818 and analyze packets for anomalies.

Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Upgrade the software: Apply the corrected software version (v6.012 or later) to all affected Rockwell Automation FLEX 5000 EtherNet/IP Adapters.
  • Isolate affected devices: If an immediate upgrade is not possible, isolate the affected adapters from untrusted networks to reduce exposure to potential attacks.
  • Monitor network traffic: Implement network monitoring to detect and block crafted CIP packets targeting the adapters.
  • Restrict access: Limit network access to the adapters to only trusted sources and essential personnel.
  • Follow Rockwell Automation's recommendations: Refer to the official security advisory (SD1789) for additional guidance and updates.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart