CVE-2021-22681
published 2024-07-16CVE-2021-22681: The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/ad…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-03-26
Exploited in the wild
EPSS
25.45%
97.7th percentile
The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html and CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html by implementing CIP security and did not update to the versions of the software CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html and CVE-2022-1161. https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | factorytalk_policy_manager | — | — |
| rockwell_automation | factorytalk_system_services | — | — |
| rockwellautomation | factorytalk_policy_manager | — | — |
| rockwellautomation | factorytalk_services_platform | >= 2.10 | — |
| rockwellautomation | rslogix_5000 | 16 – 20 | — |
| rockwellautomation | studio_5000_logix_designer | >= 21.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor controller change log for unexpected modifications or anomalous activity as a detection signal for exploitation of CVE-2021-22681. ↗
- →Use Controller Log feature (firmware v17+) to detect unauthorized configuration changes indicative of exploitation. ↗
- →Use Change Detection in Logix Designer Application (firmware v20+) to identify unauthorized modifications to controller configuration or application code. ↗
- →Use FactoryTalk AssetCentre to detect changes to controller configuration or application files as an indicator of exploitation. ↗
- →Alert on any inbound EtherNet/IP (TCP 44818) connections to Logix controllers originating from outside the ICS network zone, as exploitation requires network access to the controller. ↗
- ·No vendor patch exists for CVE-2021-22681; Rockwell Automation has determined the vulnerability cannot be mitigated with a patch, only defense-in-depth mitigations are available. ↗
- ·The vulnerability stems from Studio 5000 Logix Designer using a static key to verify controller communications; an unauthenticated attacker can bypass this verification mechanism entirely. ↗
- ·CVSS v3 base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H); exploitable remotely with low skill level required. ↗
- ·SoftLogix 5800 has no additional mitigation available beyond network segmentation guidance; no CIP Security or mode-switch option applies. ↗
- ·CVE-2021-22681 is being actively exploited by CyberAv3ngers (IRGC-linked) against U.S. water, energy, and government facilities as confirmed by joint advisory AA26-097A; no vendor patch is available. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j8wv-5g58-r5vh: The v6
ghsa_unreviewed·2024-07-16·CVSS 9.8
CVE-2024-6325 [CRITICAL] CWE-269 GHSA-j8wv-5g58-r5vh: The v6
The v6.40 release of Rockwell Automation FactoryTalk® Policy Manager CVE-2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html and CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html by implementing CIP security and did not update to the versions of the software CVE-2022-1161 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html and CVE-2022-1161. https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1585.html
GHSA
GHSA-pvh9-p4pw-h78q: Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers ar
ghsa_unreviewed·2022-05-24
CVE-2021-22681 [CRITICAL] CWE-522 GHSA-pvh9-p4pw-h78q: Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers ar
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.
VulnCheck
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-22681 [CRITICAL] CWE-522 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.
Affected: Rockwell Multiple Products
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation Re
CISA
Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
cisa·2026-03-05·CVSS 9.8
CVE-2021-22681 [CRITICAL] CWE-522 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
Vulnerability: Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
Affected: Rockwell Multiple Products
Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
N
CISA ICS
Rockwell Automation Logix Controllers (Update A)
cisa_ics·2021-02-25
Rockwell Automation Logix Controllers (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation Logix Controllers (Update A)
Last RevisedMarch 18, 2021
Alert CodeICSA-21-056-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rockwell Automation
- Equipment: Studio 5000 Logix Designer, RSLogix 5000, Logix Controllers
- Vulnerability: Insufficiently Protected Credentials
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-21-056-03 Rockwell Automation Logix Controllers that was published February 25, 2021, to the ICS webpage on us-cert.cisa.g
No detection rules found.
No public exploits indexed.
Tenable
What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure
blogs_tenable·2026-04-09
What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Rockwell Automation: Disconnect OT Devices with Public-Facing Internet Access, Patch or Mitigate Logix, FactoryTalk CVEs
blogs_tenable·2024-06-05
Rockwell Automation: Disconnect OT Devices with Public-Facing Internet Access, Patch or Mitigate Logix, FactoryTalk CVEs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Rockwell Automation warns admins to take ICS devices offline
blogs_bleepingcomputer·2024-05-21·CVSS 9.8
[CRITICAL] Rockwell Automation warns admins to take ICS devices offline
## Rockwell Automation warns admins to take ICS devices offline
## Sergiu Gatlan
Rockwell Automation warned customers to disconnect all industrial control systems (ICSs) not designed for online exposure from the Internet due to increasing malicious activity worldwide.
Network defenders should never configure such devices to allow remote connections from systems outside the local network. By taking them offline, they can drastically reduce their organizations' attack surface.
This ensures that threat actors will no longer have direct access to systems that may not yet be patched against security vulnerabilities, allowing attackers to gain access to their targets' internal networks.
"Due to heightened geopolitical tensions and adversarial cyber activity globally, Rockwell Automation is
Checkpoint
March 1st – Threat Intelligence Report
blogs_checkpoint·2021-03-01
CVE-2021-21972 March 1st – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## March 1st – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st March, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The biochemical systems at an Oxford university research lab currently studying the Covid-19 pandemic has been breached . Clinical research was not affected by the incident. Breached systems include machines used to prepare biochemical samples, and hackers are currently attempting to sell their access to those machines.
Twitte
2024-07-16
Published
2026-03-05
Added to CISA KEV
Exploited in the wild