🔴 CVE-2021-22681

Critical authentication bypass vulnerability in Rockwell Automation industrial control systems allowing unauthenticated attackers to bypass verification mechanisms and authenticate with Logix controllers over the network. This vulnerability is actively exploited and listed in CISA KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2021-03-03

Added to CISA KEV: 2026-03-05 1828 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2021-22681 is a critical authentication bypass vulnerability affecting various Rockwell Automation products, specifically impacting the communication mechanism between engineering stations and Logix programmable logic controllers (PLCs) [1].

Exploitation and Threat Actor Usage
  • Active Exploitation: This vulnerability is actively exploited in the wild and is included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog [3] [7].
  • Threat Actors: It has been linked to targeted attacks against U.S. critical infrastructure by Iranian-affiliated cyber actors [2].
Attack Method and Requirements
  • Access Requirements: The vulnerability can be exploited remotely by an unauthenticated attacker [5].
  • User Interaction: No user interaction is required for successful exploitation.
  • Method: An attacker can bypass the verification mechanism that secures communication between the engineering station and the PLC, allowing them to establish a remote connection [1] [5].
Impact
Successful exploitation provides an attacker with significant control over the affected PLC, including the ability to:
  • Upload malicious code to the controller [1].
  • Download sensitive information from the controller [1].
  • Install attacker-controlled firmware [1].
Proof-of-Concept (PoC)
Publicly available proof-of-concept or exploit code exists for this vulnerability [6].
Affected Products and Mitigation
  • Affected Versions:
* Studio 5000 Logix Designer: Versions 21 and later [4]. * RSLogix 5000: Versions 16 through 20 [4]. * Various Logix Controllers are also affected [1].
  • Mitigation: Organizations using these products are advised to review Rockwell Automation’s official guidance (such as Product Notice PN1550) to strengthen the security of their operational technology (OT) deployments [2].

Sources

  1. Team82 Discovers Critical Authentication Bypass in Rockwell ...

    Affected versions include: Rockwell's Studio 5000 Logix Designer (versions 21 and later) and RSLogix 5000 (versions 16-20), as well as Rockwell ... The Claroty Research Team has discovered a severe vulnerability (CVE-2021-22681, CVSS 10.0) in a mechanism that verifies communication between Rockwell…

  2. Iranian-Affiliated Cyber Actors Exploit Programmable Logic ... - CISA

    In addition to contacting the authoring agencies, organizations with Rockwell Automation/Allen-Bradley-manufactured PLCs should review the manufacturer’s previously issued guidance to strengthen the security of their operational technology deployments: PN1550 | CVE-2021-22681: Authentication Bypass…

  3. NVD - CVE-2021-22681

    An official website of the United States government Here's how you know ... Third Party Advisory US Government Resource. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22681.Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance a…

  4. CVE-2021-22681 Detail - NVD

    Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable.

  5. Rockwell Automation Logix Controllers (Update A) - CISA

    Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect ...

  6. CVE-2021-22681 - Rockwell Multiple Products Insufficient Protected...

    CVE-2021-22681 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list. References.Published Date: Mar 06, 2026 (1 month, 1 week ago). Results are limited to the first 20 news articles due to potential performance issues. The following table lists the changes th…

  7. Advisory: U.S. Critical Infrastructure Actively Targeted by Iran | Claroty

    CVE-2021-22681 affects numerous versions of the Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. Exploits allow an attacker to remotely connect to the PLCs, download malicious code to the PLC, upload information from the PLC, or install attacker-controlled firmware. This CVE was also…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed