Executive Summary
On March 5, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. The vulnerabilities include: CVE-2017-7921 (Hikvision Multiple Products Improper Authentication), CVE-2021-22681 (Rockwell Multiple Products Insufficient Protected Credentials), CVE-2021-30952 (Apple Multiple Products Integer Overflow or Wraparound), CVE-2023-41974 (Apple iOS and iPadOS Use-After-Free), and CVE-2023-43000 (Apple Multiple Products Use-After-Free). These vulnerabilities are commonly targeted by malicious actors and pose significant risks to federal enterprises.
The inclusion of these vulnerabilities underscores the persistent threat landscape and the importance of timely remediation. Organizations are urged to prioritize addressing these vulnerabilities to mitigate potential cyberattacks and protect their networks against active threats.
Why This Matters Now
The addition of these vulnerabilities to the KEV Catalog highlights the ongoing risk of exploitation by cyber actors. Immediate remediation is crucial to prevent potential breaches and safeguard sensitive information.
Attack Path Analysis
The attacker exploited vulnerabilities in Hikvision cameras (CVE-2017-7921) and Rockwell Automation controllers (CVE-2021-22681) to gain initial access. They escalated privileges by exploiting insufficiently protected credentials in the Rockwell controllers. The attacker moved laterally within the network, targeting other devices and systems. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated from compromised systems. Finally, the attacker disrupted operations by manipulating or disabling critical systems.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited vulnerabilities in Hikvision cameras (CVE-2017-7921) and Rockwell Automation controllers (CVE-2021-22681) to gain initial access.
Related CVEs
CVE-2017-7921
CVSS 9.8Hikvision devices have an improper authentication vulnerability that allows remote attackers to bypass authentication and gain access to the device.
Affected Products:
Hikvision Multiple Products – Various
Exploit Status:
exploited in the wildCVE-2021-22681
CVSS 9.8Rockwell Automation Logix controllers use a key to verify communication, which can be bypassed by an unauthenticated attacker, allowing unauthorized access.
Affected Products:
Rockwell Automation Studio 5000 Logix Designer – 21 and later
Rockwell Automation RSLogix 5000 – 16 through 20
Exploit Status:
exploited in the wildCVE-2021-30952
CVSS 7.8An integer overflow or wraparound vulnerability in Apple products could allow an attacker to execute arbitrary code with kernel privileges.
Affected Products:
Apple Multiple Products – Various
Exploit Status:
exploited in the wildCVE-2023-41974
CVSS 7.8A use-after-free issue in Apple iOS and iPadOS allows an app to execute arbitrary code with kernel privileges.
Affected Products:
Apple iOS – up to 17.0
Apple iPadOS – up to 17.0
Exploit Status:
exploited in the wildCVE-2023-43000
CVSS 8.8A use-after-free vulnerability in Apple products allows an attacker to execute arbitrary code with kernel privileges.
Affected Products:
Apple Multiple Products – Various
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; full STIX/TAXII enrichment may follow.
Exploit Public-Facing Application
Modify Authentication Process
Exploitation for Privilege Escalation
Exploitation for Client Execution
Valid Accounts
Network Sniffing
Brute Force
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Devices
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation under BOD 22-01 for Hikvision, Rockwell, and Apple vulnerabilities enabling authentication bypass and credential compromise.
Computer Hardware
Apple device vulnerabilities CVE-2023-41974 and CVE-2023-43000 create use-after-free exploitation risks requiring immediate patching across hardware manufacturing and supply chains.
Industrial Automation
Rockwell automation systems vulnerable to CVE-2021-22681 credential protection flaws expose critical infrastructure to lateral movement and operational technology compromise.
Security/Investigations
Hikvision authentication vulnerabilities CVE-2017-7921 compromise surveillance systems, enabling unauthorized access to sensitive security footage and monitoring capabilities.
Sources
- CISA Adds Five Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/03/05/cisa-adds-five-known-exploited-vulnerabilities-catalogVerified
- CVE-2017-7921 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2017-7921Verified
- CVE-2021-22681 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2021-22681Verified
- CVE-2021-30952 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2021-30952Verified
- CVE-2023-41974 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2023-41974Verified
- CVE-2023-43000 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2023-43000Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities and move laterally within the network, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit these vulnerabilities would likely be constrained, reducing the likelihood of successful initial access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the scope of potential damage.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, reducing the reachability to other devices and systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing the persistence of access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The attacker's ability to disrupt operations would likely be constrained, reducing the potential impact on critical systems.
Impact at a Glance
Affected Business Functions
- n/a
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure all devices are updated to the latest firmware versions to mitigate known vulnerabilities.
