A malformed packet can knock Rockwell's Flex 5000 Adapter offline until someone power-cycles it
Rockwell Automation has patched a denial-of-service flaw in a widely deployed factory-floor module. The fix ships as firmware 6.012.

Key points
- Rockwell Automation disclosed CVE-2026-12659 on 16 July 2026, a denial-of-service flaw in its Flex 5000 Adapter running firmware 6.011.
- The bug scores 7.5 on the older CVSS 3.1 scale and 8.7 on the newer CVSS 4.0 scale, both rated high severity.
- A single crafted network packet can freeze the module and its attached inputs and outputs until an engineer physically power-cycles the hardware.
- Rockwell has released firmware version 6.012 as the fix and asks customers who cannot patch to isolate the device from the wider network.
- CISA says no one has been seen exploiting this in the wild.
Rockwell Automation, one of the biggest makers of factory-automation gear, has patched a flaw in its Flex 5000 Adapter, a small industrial computer that sits on production lines and shuttles signals between sensors, motors and the main controller.
The bug is tracked as CVE-2026-12659. It affects firmware version 6.011. The fix is version 6.012.
Here is the plain-English version. If an attacker on the same network sends the adapter a specially malformed message, the device trips over its own error handling and locks up. Everything wired to it stops responding. The only way back is for someone to walk over and cut the power.
That is a denial-of-service flaw, meaning a bug that stops a system doing its job without necessarily letting the attacker steal anything.
How bad is this in practice?
Bad enough to take seriously, not bad enough to panic. The attacker cannot read data, plant malware or take control of the production line through this bug alone. They can only make the adapter fall over. But on a factory floor, an adapter falling over can mean a stopped line, a spoiled batch or an emergency call-out at 3am.
The underlying weakness is what programmers call a double free, where the software accidentally releases the same chunk of memory twice and corrupts its own state. The trigger is a crafted CIP packet. CIP, or Common Industrial Protocol, is the language Rockwell devices use to talk to each other over the network.
If that sounds familiar, it should. This is the industrial-controls equivalent of a classic malformed-packet crash in an old web server. Same shape of bug, different neighbourhood.
CVSS, which stands for Common Vulnerability Scoring System, is the industry's way of putting a number on how nasty a flaw is. Rockwell and CISA give this one a 7.5 out of 10 under the older scoring, and 8.7 under the newer one. The jump reflects the fact that the newer system weighs availability, keeping a system running, more heavily. For a device that lives on a factory floor, that reweighting is fair.
What should operators do now?
Upgrade to Flex 5000 Adapter firmware 6.012. That is the clean answer, and it comes straight from Rockwell's advisory SD1789.
Where an immediate upgrade is not possible, and in industrial settings it very often is not, the standard playbook applies. Keep the adapter off the public internet. Put it behind a firewall. Segment the plant network from the office network so a compromised laptop in accounts cannot reach a controller in the paint shop.
CISA, the US Cybersecurity and Infrastructure Security Agency, published the advisory on 16 July 2026 after Rockwell reported the flaw itself. The agency notes it has seen no attacks using this bug so far.
Rockwell found and disclosed the issue in-house, which is worth a small nod. Vendors sitting on flaws until a researcher forces the issue is still common in the industrial-controls world. This was not one of those cases.



