CVE-2012-6440 in ControlLogix controllers
Summary
by MITRE
The Web server password authentication mechanism used by the products is vulnerable to a MitM and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s Web server to view and alter product configuration and diagnostics information.
Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability identified as CVE-2012-6440 affects Rockwell Automation EtherNet/IP communication products and controllers, representing a critical weakness in the authentication mechanisms of industrial control systems. This flaw specifically targets the web-server password-authentication functionality across multiple hardware platforms including ENBT and EWEB communication modules, CompactLogix and ControlLogix controllers, and various FLEX adapters. The vulnerability stems from insufficient protection of authentication credentials during HTTP-based communication, creating an exploitable condition that allows attackers to intercept and reuse authentication tokens. The affected products span several generations of Rockwell Automation's industrial networking equipment, indicating a widespread issue that impacts critical infrastructure deployments across various industrial sectors including manufacturing, process control, and automation systems.
The technical flaw manifests as a failure to properly implement secure authentication protocols during HTTP traffic transmission, enabling man-in-the-middle attack scenarios where malicious actors can capture authentication data and replay it to gain unauthorized access to the affected systems. This weakness directly relates to CWE-312, which addresses the exposure of sensitive information through improper handling of authentication credentials, and CWE-319, which covers the exposure of sensitive information through improper handling of authentication tokens. The vulnerability essentially allows attackers to perform credential replay attacks, where captured HTTP authentication information can be reused to establish unauthorized sessions with the affected industrial controllers. The lack of proper cryptographic protection for authentication tokens during transmission creates an environment where attackers can intercept network traffic and leverage captured credentials for system access.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it fundamentally compromises the security posture of industrial control systems that rely on these Rockwell Automation products for networked communication. Attackers who successfully exploit this vulnerability can gain administrative access to controllers, potentially leading to system disruption, data manipulation, or complete system compromise. The affected devices include critical infrastructure components such as CompactLogix L32E and L35E controllers, ControlLogix systems, and various FLEX adapters that are commonly deployed in manufacturing environments, process control systems, and other industrial applications where system integrity is paramount. This vulnerability particularly threatens operational technology environments where traditional cybersecurity controls may be less prevalent or properly implemented, potentially enabling attackers to cause physical damage to industrial processes or disrupt critical operations.
Mitigation strategies for CVE-2012-6440 should focus on implementing network segmentation and access controls to limit exposure of affected devices to untrusted networks. Organizations should deploy network monitoring solutions to detect and alert on suspicious authentication patterns and replay attacks. The implementation of secure communication protocols including HTTPS with proper certificate validation and the use of network access control lists can help reduce the attack surface. According to ATT&CK framework, this vulnerability maps to T1110.001, which covers credential access through the exploitation of weak or default credentials, and T1566.002, which addresses initial access through spearphishing attachments and links. Rockwell Automation has released firmware updates to address this vulnerability, and organizations should prioritize applying these patches while also implementing network-level protections such as firewalls, intrusion detection systems, and proper network segmentation to prevent unauthorized access to industrial control systems. Additionally, implementing network monitoring solutions that can detect anomalous authentication patterns and replay attempts will help identify potential exploitation attempts before they result in successful system compromise.