An old vulnerability affecting industrial control system (ICS) products from Rockwell Automation has been exploited in attacks, according to the vendor and the cybersecurity agency CISA.
CISA added the flaw, tracked as CVE-2021-22681, to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, instructing federal agencies to address it by March 26.
The security hole affects the Studio 5000 Logix Designer software and several Logix programmable logic controllers (PLCs), including CompactLogix, ControlLogix, DriveLogix, FlexLogix, GuardLogix, and SoftLogix devices.
CVE-2021-22681 was disclosed in February 2021, when the vendor announced mitigations and credited Soonchunhyang University in South Korea, Kaspersky, and Claroty for reporting it. Claroty said at the time that it had reported the issue to Rockwell in 2019.
The vulnerability, related to an insufficiently protected cryptographic key, could allow a remote, unauthenticated attacker to bypass verification and connect to a targeted controller by mimicking an engineering workstation.
In a real-world industrial environment, the vulnerability could allow remote attackers to manipulate PLC logic and disrupt manufacturing processes, or even cause physical damage to equipment.
Rockwell updated its initial advisory on Thursday to mention in-the-wild exploitation of CVE-2021-22681, but the company has not shared any information about the attacks.
SecurityWeek has reached out to Rockwell for comment and will update this article if the company responds.
A Shodan search currently shows nearly 6,000 internet-exposed Rockwell devices, but it’s unclear how many may be affected by CVE-2021-22681.
It’s worth noting that Rockwell issued a security notice in 2024, urging customers to ensure their ICS devices are not connected to the internet. One of the vulnerabilities highlighted in that alert was CVE-2021-22681, which indicates that the vendor did not rule out malicious exploitation.
In 2023, Rockwell and CISA warned that an unnamed APT had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction, but there had been no evidence of actual attacks.
Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog.
Related: 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos
Related: Honeywell, Researcher Clash Over Impact of Building Controller Vulnerability
Related: Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
