An existing vulnerability in Rockwell Automation’s industrial control system (ICS) products has been actively exploited, as confirmed by the company and the cybersecurity agency CISA. This security gap, identified as CVE-2021-22681, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with directives issued for federal agencies to mitigate the risk by March 26.
Impact and Scope of the Vulnerability
The vulnerability affects the Studio 5000 Logix Designer software along with various Logix programmable logic controllers (PLCs), such as CompactLogix, ControlLogix, DriveLogix, FlexLogix, GuardLogix, and SoftLogix devices. Initially disclosed in February 2021, the issue stems from a poorly protected cryptographic key, potentially allowing unauthorized remote access to controllers by impersonating an engineering workstation.
Claroty, along with researchers from Soonchunhyang University and Kaspersky, was instrumental in reporting this vulnerability to Rockwell back in 2019. If exploited in an industrial setting, attackers could manipulate the logic of PLCs, disrupt manufacturing operations, or even inflict physical damage on equipment.
Current Threat Landscape
Rockwell has recently updated its advisory to acknowledge the real-world exploitation of CVE-2021-22681. However, specific details regarding these attacks have not been publicly disclosed. SecurityWeek has reached out to Rockwell for further comments, awaiting any forthcoming updates.
A Shodan search indicates nearly 6,000 Rockwell devices are currently exposed on the internet, but the extent of those affected by this particular vulnerability remains uncertain. In 2024, Rockwell issued a security advisory urging customers to disconnect their ICS devices from the internet, underscoring the risk of malicious exploitation.
Future Implications and Recommendations
In 2023, Rockwell and CISA highlighted a different vulnerability (CVE-2023-3595) within Rockwell controllers, which an unnamed advanced persistent threat (APT) group had exploited. Although no actual exploits have been confirmed, the potential for disruption or damage underscores the necessity for vigilance.
Currently, CVE-2021-22681 is the sole Rockwell vulnerability listed in CISA’s KEV catalog. It is crucial for organizations using these ICS products to implement the recommended security measures and remain alert to any further advisories from Rockwell and CISA.
Related articles discuss the targeting of ICS/OT by threat groups and vulnerabilities in other control systems, emphasizing the ongoing challenges in securing critical infrastructure.
