Cyber Resilience

CVE-2021-22681

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 03 March 2021

Published
03 March 2021
Modified
06 March 2026
KEV Added
05 March 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1816 95.3th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22681 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rockwellautomation Factorytalk Services Platform. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Rockwell Automation Studio 5000 Logix Designer versions 21 and later, along with RSLogix 5000 versions 16 through 20, contain an authentication bypass vulnerability in the mechanism that uses a key to verify communication between the engineering software and affected Logix controllers, including CompactLogix 1768/1769/5370/5380/5480, ControlLogix 5550/5560/5570/5580, DriveLogix 5560/5730/1794-L34, Compact GuardLogix 5370/5380, GuardLogix 5570/5580, and SoftLogix 5800. The flaw is tracked as CWE-522 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the weakness over the network to bypass the verification process and successfully authenticate to the listed controllers, resulting in full compromise of confidentiality, integrity, and availability without requiring user interaction or credentials.

CISA has published advisory ICSA-21-056-03 detailing the issue, and the vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580;…

more

DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.

CWE(s)
KEV Date Added
05 March 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rockwellautomation
factorytalk services platform
≥ 2.10
rockwellautomation
rslogix 5000
16 — 20
rockwellautomation
studio 5000 logix designer
≥ 21.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication before granting access to Logix controllers, blocking the unauthenticated bypass of the key verification mechanism.

prevent

Requires identification and authentication of users or processes connecting to the controllers, directly mitigating the authentication bypass flaw.

prevent

Mandates device-to-device identification and authentication between engineering software and affected Logix controllers, addressing the bypassed verification step.

References