Critical Vulnerabilities in Hikvision and Rockwell Automation Devices Added to CISA KEV Catalog
Executive Summary
In March 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2017-7921 affecting Hikvision products and CVE-2021-22681 impacting Rockwell Automation devices. CVE-2017-7921 is an improper authentication flaw that allows attackers to escalate privileges and access sensitive information in Hikvision cameras. CVE-2021-22681 involves insufficiently protected credentials in Rockwell Automation's Studio 5000 Logix Designer and related controllers, enabling unauthorized users to bypass verification mechanisms and alter device configurations. Both vulnerabilities have a CVSS score of 9.8, indicating their severity and the potential risk to critical infrastructure.
The inclusion of these vulnerabilities in the KEV catalog underscores the ongoing threat posed by unpatched security flaws in widely used industrial and surveillance equipment. Organizations are urged to prioritize remediation efforts to mitigate the risk of exploitation, especially given the active targeting of such vulnerabilities by malicious actors.
Why This Matters Now
The active exploitation of these critical vulnerabilities highlights the urgent need for organizations to update their systems and implement robust security measures to protect against potential breaches and operational disruptions.
Attack Path Analysis
Attackers exploited vulnerabilities in Hikvision cameras (CVE-2017-7921) and Rockwell Automation controllers (CVE-2021-22681) to gain unauthorized access. They escalated privileges by bypassing authentication mechanisms, allowing control over the devices. Subsequently, they moved laterally within the network to access other critical systems. Command and control channels were established to maintain persistent access. Sensitive data was exfiltrated from compromised systems. Finally, the attackers disrupted operations by altering configurations and deploying malicious code.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited CVE-2017-7921 in Hikvision cameras and CVE-2021-22681 in Rockwell Automation controllers to gain unauthorized access.
Related CVEs
CVE-2017-7921
CVSS 9.8An improper authentication vulnerability in multiple Hikvision products allows remote attackers to escalate privileges and access sensitive information.
Affected Products:
Hikvision DS-2CD2xx2F-I Series – V5.2.0 build 140721 to V5.4.0 build 160530
Hikvision DS-2CD2xx0F-I Series – V5.2.0 build 140721 to V5.4.0 Build 160401
Hikvision DS-2CD2xx2FWD Series – V5.3.1 build 150410 to V5.4.4 Build 161125
Hikvision DS-2CD4x2xFWD Series – V5.2.0 build 140721 to V5.4.0 Build 160414
Hikvision DS-2CD4xx5 Series – V5.2.0 build 140721 to V5.4.0 Build 160421
Hikvision DS-2DFx Series – V5.2.0 build 140805 to V5.4.5 Build 160928
Hikvision DS-2CD63xx Series – V5.0.9 build 140305 to V5.3.5 Build 160106
Exploit Status:
exploited in the wildCVE-2021-22681
CVSS 9.8An insufficiently protected credentials vulnerability in Rockwell Automation products allows unauthenticated attackers to bypass verification mechanisms and authenticate with Logix controllers.
Affected Products:
Rockwell Automation Studio 5000 Logix Designer – Versions 21 and later
Rockwell Automation RSLogix 5000 – Versions 16 through 20
Rockwell Automation CompactLogix – 1768, 1769, 5370, 5380, 5480
Rockwell Automation ControlLogix – 5550, 5560, 5570, 5580
Rockwell Automation DriveLogix – 5560, 5730, 1794-L34
Rockwell Automation Compact GuardLogix – 5370, 5380
Rockwell Automation GuardLogix – 5570, 5580
Rockwell Automation SoftLogix – 5800
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Valid Accounts
Default Accounts
Local Accounts
Cloud Accounts
Domain Accounts
Application Accounts
Service Accounts
User Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address vulnerabilities for custom and bespoke software
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Security Policies and Procedures
Control ID: Art. 9(2)
CISA ZTMM 2.0 – Eliminate Default Passwords
Control ID: Identity Pillar - 1.2
NIS2 Directive – Access Control and Asset Management
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Manufacturing
Critical exposure through Rockwell Automation industrial control systems vulnerability enabling unauthorized controller access, configuration changes, and potential operational disruption across manufacturing facilities.
Oil/Energy/Solar/Greentech
High risk from CVE-2021-22681 affecting Logix Controllers in energy infrastructure, allowing attackers to bypass authentication and alter critical industrial control system configurations.
Government Administration
Federal agencies face compliance mandates under BOD 22-01 to remediate Hikvision camera vulnerabilities by March 26, 2026, addressing privilege escalation risks.
Security/Investigations
Hikvision surveillance systems vulnerable to CVE-2017-7921 enable attackers to escalate privileges and access sensitive security footage and monitoring data across installations.
Sources
- Hikvision and Rockwell Automation CVSS 9.8 Flaws Added to CISA KEV Cataloghttps://thehackernews.com/2026/03/hikvision-and-rockwell-automation-cvss.htmlVerified
- CISA Adds Five Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/03/05/cisa-adds-five-known-exploited-vulnerabilities-catalogVerified
- CVE-2017-7921 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2017-7921Verified
- CVE-2021-22681 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2021-22681Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attackers' ability to exploit vulnerabilities, escalate privileges, and move laterally within the network, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attackers' ability to exploit these vulnerabilities would likely have been constrained, limiting their initial access to the network.
Control: Zero Trust Segmentation
Mitigation: The attackers' ability to escalate privileges would likely have been limited, reducing their control over compromised devices.
Control: East-West Traffic Security
Mitigation: The attackers' lateral movement within the network would likely have been constrained, limiting their access to other critical systems.
Control: Multicloud Visibility & Control
Mitigation: The attackers' ability to establish and maintain command and control channels would likely have been limited, reducing their persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attackers' ability to exfiltrate sensitive data would likely have been constrained, limiting data loss.
The attackers' ability to disrupt operations would likely have been limited, reducing the overall impact on the organization.
Impact at a Glance
Affected Business Functions
- Surveillance Operations
- Industrial Control Systems
- Network Security
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to surveillance footage and control systems data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities.
- • Regularly update and patch all devices to mitigate known vulnerabilities.
