Rockwell Automation Vulnerability Exploited in Remote ICS Hacking Attacks: Security Risks and Consequences

Post Views: 213

CVE-2021-22681 Exploited in Real-World Attacks

A previously disclosed vulnerability in Rockwell Automation’s industrial control system (ICS) products has been exploited in real-world attacks, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its list of known exploited vulnerabilities.

Affected Products

The vulnerability, tracked as CVE-2021-22681, affects Rockwell’s Studio 5000 Logix Designer software and several Logix programmable logic controllers (PLCs), including CompactLogix, ControlLogix, DriveLogix, FlexLogix, GuardLogix, and SoftLogix devices.

Initial Disclosure

The flaw was initially disclosed in February 2021, when Rockwell announced mitigations and credited researchers from Soonchunhyang University in South Korea, Kaspersky, and Claroty for reporting it.

Vulnerability Details

CVE-2021-22681 is related to an insufficiently protected cryptographic key, which could allow a remote, unauthenticated attacker to bypass verification and connect to a targeted controller by mimicking an engineering workstation.

In a real-world industrial environment, the vulnerability could enable remote attackers to manipulate PLC logic and disrupt manufacturing processes, or even cause physical damage to equipment.

CISA’s Response

CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, instructing federal agencies to address it by March 26.

Rockwell’s Update

Rockwell updated its initial advisory to mention in-the-wild exploitation of CVE-2021-22681, but the company has not shared any information about the attacks.

Exposed Devices

A search of internet-exposed devices using the Shodan search engine currently shows nearly 6,000 Rockwell devices, but it is unclear how many may be affected by CVE-2021-22681.

Previous Warnings

Rockwell previously issued a security notice in 2024, urging customers to ensure their ICS devices are not connected to the internet, highlighting CVE-2021-22681 as one of the vulnerabilities that could be exploited.

In 2023, Rockwell and CISA warned that an unnamed advanced persistent threat (APT) had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction.