cbcvebase.
CVE-2021-22681
published 2024-07-16

CVE-2021-22681: The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/ad…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-26
Exploited in the wild
EPSS
25.45%
97.7th percentile
The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html and CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html by implementing CIP security and did not update to the versions of the software CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html and CVE-2022-1161. https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html

Affected

6 ranges
VendorProductVersion rangeFixed in
rockwell_automationfactorytalk_policy_manager
rockwell_automationfactorytalk_system_services
rockwellautomationfactorytalk_policy_manager
rockwellautomationfactorytalk_services_platform>= 2.10
rockwellautomationrslogix_500016 – 20
rockwellautomationstudio_5000_logix_designer>= 21.0

Detection & IOCsextracted from sources · hover to see the quote

portTCP 44818
  • Monitor controller change log for unexpected modifications or anomalous activity as a detection signal for exploitation of CVE-2021-22681.
  • Use Controller Log feature (firmware v17+) to detect unauthorized configuration changes indicative of exploitation.
  • Use Change Detection in Logix Designer Application (firmware v20+) to identify unauthorized modifications to controller configuration or application code.
  • Use FactoryTalk AssetCentre to detect changes to controller configuration or application files as an indicator of exploitation.
  • Alert on any inbound EtherNet/IP (TCP 44818) connections to Logix controllers originating from outside the ICS network zone, as exploitation requires network access to the controller.
  • ·No vendor patch exists for CVE-2021-22681; Rockwell Automation has determined the vulnerability cannot be mitigated with a patch, only defense-in-depth mitigations are available.
  • ·The vulnerability stems from Studio 5000 Logix Designer using a static key to verify controller communications; an unauthenticated attacker can bypass this verification mechanism entirely.
  • ·CVSS v3 base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H); exploitable remotely with low skill level required.
  • ·SoftLogix 5800 has no additional mitigation available beyond network segmentation guidance; no CIP Security or mode-switch option applies.
  • ·CVE-2021-22681 is being actively exploited by CyberAv3ngers (IRGC-linked) against U.S. water, energy, and government facilities as confirmed by joint advisory AA26-097A; no vendor patch is available.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.